Apple starts blocking Russian servers that authenticate in-app content for free

Making good on its promise, Apple has started to block Russian servers which authenticate paid in-app content for free, The Next Web reports. The company is blocking IP addresses that host the rogue domain by issuing takedown notices to hosting companies. PayPal has also intervened to block a private account through which donations had been collected, citing violation of its terms of service.

Despite this, hacker Alexey V. Borodin, the brains behind this controversial method, has already moved the servers to another country in an attempt to evade Apple’s legal requests…

Mat Brian has the story:

Blocking the original ‘attack’ route, Borodin sidestepped the authentication issue by migrating the service to a new server. Apple was able to pressure the host of the original server — which was located in Russia — into dropping Borodin’s service, but according to the Russian hacker, the new server is hosted in an offshore country in an attempt to evade Apple’s legal requests.

The author notes that Borodin also enhanced the protocol with its own authorization and transaction processes to bypass iTunes servers completely. The change, Borodin says, is in response to privacy worries and ensures no user data is stored on his server:

They [the users] need to sign out so they don’t scream to the Internet that I am stealing their credentials.

In a way, Boroding is basically asking users to trust him when he says he isn’t logging devices. An Apple spokesperson told The Loop last Friday that it was investigating the issue:

The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.

Borodin’s service allows any iOS device running iOS 3 and up to modify the in-app purchasing mechanism in three easy steps, without requiring a jailbreak. As a result, users can then purchase paid in-app content free of charge.

Apple also filed a copyright infringement request with YouTube, which took down the original how-to video, as seen below.


Borodin says his service had already processed more than 30,000 individual in-app payment requests, illegally of course. Though the hacker is adamant his hack is purely meant to force Apple into bolstering the APIs and security of the in-app purchasing mechanism, it’s evidently putting users at great risk, especially now that the proxy server handling the requests is located in an offshore country.

Conversely, as it promotes piracy and hurts developers’ income from in-app content sales, we strongly feel the service should be condemned because developers are absolutely entitled to fair compensation for their work.

Besides, stealing is just plain wrong and bad for your karma.

What do you think Apple should do here?

Prosecute the hacker, continue playing a cat and mouse game by taking down the servers or both?