Russian hacker admits defeat in IAP breach

Alexey V. Borodin, the Russian hacker who made headlines with a tool which lets anyone steal extra content in apps, no jailbreak required, is admitting defeat following Apple’s announcement that the in-app purchasing (IAP) exploit will be fixed in the shipping version of iOS 6 this fall.

In an unprecedented move, Apple gave developers access to a pair of private APIs in iOS, a temporary solution that effectively bypasses the hack. Borodin just publicly acknowledged that currently there is no way to circumvent Apple’s band-aid fix in apps updated to take advantage of the private APIs…

A blog post over at his In-AppStore.com website titled “It’s all over… for now”,  Borodin writes under his hacker nickname ZonD80 that Apple successfully fixed the security issue with the private APIs.

By examining last Apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out.

The method used to crack IAP in iOS has also been successfully employed against paid content in OS X apps distributed via the Mac App Store. Noting that he is still waiting for Apple’s reaction, Borodin teased that he and his team have “some cards in the hand”, adding that “it’s good that OS X is open”.

A short follow-up post published less than an hour ago invites people to try “buying” some paid content in apps, hinting that they “made a little improvement to protocol”.

We at iDB do not condone this hack nor any other method that lets dishonest individuals steal paid content and deny developers their hard-earned revenue.

Do you think Borodin will find a way to circumvent Apple’s fix for fake in-app purchases?