A flaw in the in-app purchasing mechanism in iOS that a Russian hacker exposed last week by leveraging a proxy server which enabled $30,000+ in sales of extra content may soon become a thing of the past as Apple is reportedly looking to contain the exploit by issuing a unique identifier in validation receipts.
This identifier apparently includes the Unique Device Identifier (UDID) for the device making the in-app purchase. The development is indicative remembering that the company recently began rejecting third-party apps over use of UDIDs. Apple was also thought to be readying tools for developers to let apps figure out users without resorting to UDIDs…
Eric Slivka explains at MacRumors:
As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple’s use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.
It wasn’t however immediately clear whether the unique identifier Apple uses is really a device UDID or some other unique identifier. The developer quoted by MacRumors was subsequently contacted by The Next Web‘s Matthew Panzarino, who sheds more light on the matter:
The source who contacted Macrumors also got in touch with us. They say that a UDID is definitely showing in that slot for them, but they also have not updated their app to remove references to the UDID, something that Apple has been recommending for some time.
This led Panzarino to speculate about the nature of Apple’s new ‘unique_identifier’ field discovered in updated receipts for extra content purchases.
Developers that have been submitting app updates recently have found the apps being rejected for using the identifying string. This new use of an identifier may be Apple implementing its recommended UUID standard for new devices while still allowing apps running on older versions of the OS to use a UDID.
Following a flurry of news reports last week that Russian hacker Alexey V. Borodin successfully bypassed the in-app purchasing mechanism with a simple three-step procedure that anyone could follow (remember, it also exposes your iTunes data to a third-party) without requiring a jailbreak, Cupertino at first issued a statement saying it was investigating the issue.
Two days later, Apple fought back by blocking IP addresses of the Russian server. Apple also asked YouTube to remove a how-to video and started issuing take down notices to companies hosting Borodin’s web site while PayPal removed a private account used to accept donations for the hack.
These are obviously stop-gap measures until a more permanent fix becomes available.
Interesting enough, a startup called Beeblex is now in the spotlight as it provides a free validation workaround for developers looking to avoid getting burned by the IAP exploit.
We strongly discourage any use of the exploit because, as we said before, you may be exposing your confidential iTunes data to a third-party. Moreover, you’re stealing extra content rather than buying it, which is bad for your karma and depressing for the people who put their heart and soul into developing for iOS.
I trust most of you have steered clear of this hack?