Apple starts blocking Russian servers that authenticate in-app content for free

By , Jul 16, 2012

Making good on its promise, Apple has started to block Russian servers which authenticate paid in-app content for free, The Next Web reports. The company is blocking IP addresses that host the rogue in-appstore.com domain by issuing takedown notices to hosting companies. PayPal has also intervened to block a private account through which donations had been collected, citing violation of its terms of service.

Despite this, hacker Alexey V. Borodin, the brains behind this controversial method, has already moved the servers to another country in an attempt to evade Apple’s legal requests…

Mat Brian has the story:

Blocking the original ‘attack’ route, Borodin sidestepped the authentication issue by migrating the service to a new server. Apple was able to pressure the host of the original server — which was located in Russia — into dropping Borodin’s service, but according to the Russian hacker, the new server is hosted in an offshore country in an attempt to evade Apple’s legal requests.

The author notes that Borodin also enhanced the protocol with its own authorization and transaction processes to bypass iTunes servers completely. The change, Borodin says, is in response to privacy worries and ensures no user data is stored on his server:

They [the users] need to sign out so they don’t scream to the Internet that I am stealing their credentials.

In a way, Boroding is basically asking users to trust him when he says he isn’t logging devices. An Apple spokesperson told The Loop last Friday that it was investigating the issue:

The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.

Borodin’s service allows any iOS device running iOS 3 and up to modify the in-app purchasing mechanism in three easy steps, without requiring a jailbreak. As a result, users can then purchase paid in-app content free of charge.

Apple also filed a copyright infringement request with YouTube, which took down the original how-to video, as seen below.

Borodin says his service had already processed more than 30,000 individual in-app payment requests, illegally of course. Though the hacker is adamant his hack is purely meant to force Apple into bolstering the APIs and security of the in-app purchasing mechanism, it’s evidently putting users at great risk, especially now that the proxy server handling the requests is located in an offshore country.

Conversely, as it promotes piracy and hurts developers’ income from in-app content sales, we strongly feel the service should be condemned because developers are absolutely entitled to fair compensation for their work.

Besides, stealing is just plain wrong and bad for your karma.

What do you think Apple should do here?

Prosecute the hacker, continue playing a cat and mouse game by taking down the servers or both?

  • Share:
  • Follow:
  • http://www.facebook.com/nihasnebas Nihas Nebas

    so what about iap cracker?? dosent apple know bout that still ????:P

    • Mike Logan

      Shhh

    • http://twitter.com/sivkai Siv

      That’s in the jailbreak domain, which means its close to impossible to touch it. Same goes for Installous.

      This method does not require a jailbreak however so it’s an issue Apple can deal with.

      • mordechai eliyahu

        why is it close to impossible to touch it ? y cant they take down their servers?

      • http://twitter.com/sivkai Siv

        The iAP Method does not rely on any server. It’s done locally courtesy of a jailbreak that is completely legal under US law.

    • http://www.facebook.com/profile.php?id=530352812 Jayar Gibson

      1) Stupid comments like “Shh”, are just stupid. Pay for your Apps…seriously, let’s not start with the whole ‘Most Devs are one-man shows who deserve to be paid for the shit they do’ so grow the fuck up.

      2) As Siv said, it’s in the jb community which means it’s HARDER to control, however there are newer methods being implemented to stop cracked Apps being used/played on devices; such methods include in-built coding to make the App crash on launch if it’s cracked or sever-verified IAP purchases.

      • Mike Logan

        @Jayar Gibson, Please like you have never in your life downloaded a Song, software, or Movie illegally shut your bullshit up with the deserve to be paid crap

      • http://www.facebook.com/profile.php?id=530352812 Jayar Gibson

        Wow, the most intelligent response you can give is involves the words “bullshit” and “crap” … I’m sure you must have a very well paid career which uses all of your intelligence because clearly you’ve forgotten to use it here………or perhaps you just don’t like people standing up to you.

        Hmm…yeah, that would be it. You don’t like people actually having an opinion that doesn’t suit you. Hiding behind a name with no contact information must make you feel so brave and strong. So….manly. I’m sure your parents are proud of you Mike Logan.

        And for your information, I pay for my music, movies, software and Apps so how about you learn a thing or two before you start dribbling your bullshit and if you don’t like that I’ll go buy you a box of crayons and you can go sit with the rest of the kiddies….okay?

      • Jakob Chapa

        OMG IT IS NOT A BIG DEAL IF SOMONE ELS DOES IT!!! IF YOU ARE AGAINST IT THEN DON’T DO IT!!!!!! GET YOUR PANTIES OUT OF A NOT AND GROW UP!!!!!

      • http://twitter.com/appleatw Laura

        Shhh hahahaha

    • EpicFacepalm

      IAPCracker doesnt work on some apps. Well this thing works on some apps that IAPCracker can’t work. There are super secure apps that invulnrable to both IAPCracker, IAPFree, In-Appstore and reverse engineering techniques

  • ricky_nguyen

    This guy is stupid he is going to move from country to country to try and evade apple’s blocking of his illegal method of purchasing in app content

  • quietstorms

    How about just arresting this jerkoff for theft and fraud?

  • http://twitter.com/myorangeisstuck willie

    lets just hope it is patched before the official release of ios 6!! i dont want them to come up with like “6.0.1″ just to patch this stupid bug.

    • planetcoalition

      This is not a bug.

  • Marty Cunnane

    Apple should just upgrade their sucerity

    • http://www.facebook.com/profile.php?id=1595420643 Simche Apple Konstantinovic

      This will definitely push
      Apple,
      So their
      Security will be stronger :)

  • http://twitter.com/tech_plus Cezar

    Guys, honestly, devs want just a little too much sometimes. Take CSR Racing for example. You cannot affort most of the cool without buying gold or cash. And pricea vafy between 3$ to 100$. Fast cars won’t go for less than about 50$. Now, I’m not saying that what this guy is doing is right, Is dead wrong because is stealing in front of the entire world (at least mask your name for your future’s sake) but it should pinch a bit in the back of the devs as well, especially the ones that don’t really have a limit when it comes to prices. And as well shoul feel bad that a 600 BILLION company has such stupid problems on their hands.