Is Apple stepping up fight against IAP exploit with UDIDs?

A flaw in the in-app purchasing mechanism in iOS that a Russian hacker exposed last week by leveraging a proxy server which enabled $30,000+ in sales of extra content may soon become a thing of the past as Apple is reportedly looking to contain the exploit by issuing a unique identifier in validation receipts.

This identifier apparently includes the Unique Device Identifier (UDID) for the device making the in-app purchase. The development is indicative remembering that the company recently began rejecting third-party apps over use of UDIDs. Apple was also thought to be readying tools for developers to let apps figure out users without resorting to UDIDs...

Apple begins taking down sites that sell UDID activations

Apple has begun cracking down on unofficial sites that sell UDID activations to folks who aren't registered Apple developers, letting them download and install iOS and OS X betas on their devices, a strict violation of Apple's agreement with developers.

In fact, a developer's $99 a year membership in the iOS Developer Program can be terminated if pre-release software is provided to non-authorized folks. Apple isn't just revoking access to developers that sell UDIDs, it's now going after sites that advertise UDID activations, filing DMCA requests to hosting firms.

As you can imagine, financial incentives outweigh risks and punishment involved. Savvy "entrepreneurs" have found the business of selling unauthorized access to iOS betas worth tens of thousands of dollars. You don't need an office, staff, a telephone line or even a business name - just a small upfront investment, a web page advertising your "service" and spare time on your hands to get the word out...

Tweetbot developer confirms Apple is now rejecting apps over use of UDIDs

A report on Monday alleged Apple began rejecting third-party iOS apps that make use of Unique Device Identifiers (UDIDs). Today, developer Paul Haddad confirms that a new build of his Tweetbot app failed to pass Apple's requirements due to its use of UDIDs. Haddad received an email from the company that cites section 17.1 of the App Store Review Guidelines.

It states “apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used”.

With this app rejection, I think we can safely conclude that developers are now wise to drop UDIDs from their apps. Better late than never, if you ask me...