Apple will fix in-app purchases vulnerability in iOS 6, provides workaround for now
In iOS 6, coming this fall, Apple will fix a security vulnerability in the App Store's in-app purchasing process that allows "man-in-the-middle" style attacks, steals from developers, and potentially exposes user account data to hackers. This according to a new, publicly-available support document posted to developer.apple.com on in-app purchase receipt validation on iOS. Apple's preamble states:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
Matthew Panzarino from The Next Web points out that Apple is exposing some private APIs (application program interfaces) to developers as part of the short-term fix:
Essentially, Apple has added a hash to each transaction that is calculated based on a digital certificate. That certificate must be coded into the app by each developer. This is used to determine whether the in-app purchase receipt has come from Apple directly. The data in the receipt is used to calculate that hash so that each one is unique and can’t be faked.
Apple typically scans for, and automatically rejects, any app that uses private API. The reason for this is, unlike public API which cary with them the promise of future compatibility and support, Apple can and will make changes to private API at any time, potentially breaking apps that rely on them.
Exceptions to the prohibition on private API are almost unheard of, which shows both the importance of the fix, and short period of time it's meant to cover (less than 3 months).
Since the security vulnerability was discovered and exploited, Apple has been engaged in a back-and-forth series of actions against the hacker in an attempt to prevent any theft of developer assets or user data. While the process has been successfully used to steal in-app purchases without paying for them, it's uncertain if any account information has been compromised. Even if it wasn't, and even if this hack, in this case, was aimed at developers rather than users, it doesn't mean the next one, using the same or similar exploits, won't specifically target user account data. Apple has to fix it and make the fix stick.
iOS 6 was announced at WWDC 2012, is currently in beta, and will be made publicly available this fall, likely alongside the next generation iPhone 5.
Until then, for developers who rely on in-app-purchases, it looks like there's some work to do to tighten up security in the meantime.
For users, while the prospect of free Smurfberries might sound enticing, essentially breaking open your iPhone or iPad's security and passing all your transactions through a hacker's servers, potentially exposing your iTunes account and related credit card information could end up being a much, much higher price to pay.