Stealing in-app purchases and what it could cost you

Stealing in-app purchases and what it could cost you

There's a story going around today about a new hack that appears to allow users to bypass iTunes and steal in-app purchases "for free". I put "for free" in quotation marks because, as Ally pointed out in her editorial on app theft, there's no such thing as free. This time, however, the cost could be something more than money. The way I understand it, the hack in question uses a proxy, requires you to install a bogus certificate, and change DNS settings. That allows the transaction to be intercepted before it reaches iTunes, and that's what lets it cheat developers out of payment. It's also what could let the hacker collect all your information instead.

And that's dangerous.

There's a reason good guy hackers like the iPhone and Chronic dev team urge people not to steal apps -- it hurts everyone. A hack designed expressly to steal in-app purchases, by definition, isn't run by a good guy. The hacker in question is also asking for donations -- for money in exchange for helping you cheat developers out of the money they worked hard for and earned.

As proofs of concept, as a way to discover vulnerabilities that get passed on to Apple so they can be fixed, hacking and hackers can be extremely beneficial to hardening security and making all of our iPhones and iPads safer to use.

This isn't that.

This is stealing, and while it will certainly cost developers money, it could cost you a lot more. Worse than that, it's the perfect way to trick people into giving you access to their devices and credentials. Maybe this particular hacker isn't interested in abusing that, but how do we know? How do we know no one else will use the same hack to steal device and transaction information?

The easiest way to steak anything from anyone is to ask them for it.

No way in hell am I trusting anyone to essentially man-in-the-middle my iTunes connections, and no way in someplace even darker and hotter am I helping them do it.

Cry FUD if you want, but for me, saving $0.99 on Smurfberries isn't worth exposing my data or account.

UPDATE: Matthew Panzarino and Matt Brian of The Next Web have done some digging into how the hack works and how both developers and Apple could better secure the process.

UPDATE 2: Lex Friedman of Macworld has given the hack a similar look.

UPDATE 3: Jim Dalrymple of The Loop got a response from Apple PR, who say they're investigating.

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, The TV Show, Vector, ZEN & TECH, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts

 

8
loading...
20
loading...
0
loading...
0
loading...

← Previously

Chrome vs. Atomic vs. Mercury: Best alternative browser for iPhone shootout!

Next up →

Re-EPEAT: Apple returns to environmental certification, posts open letter

There are 28 comments. Add yours.

iDonev says:

I don't know how wise it is to give so much publicity to such topics. I personally hadn't heard about the existence of this hack and I'm not in the slightest interested in trying it, but others who previously had not heard about it, might "take advantage" of it.

sockopen says:

Partially agreed.

However, I am with Rene on this - not trusting the person running this proxy to handle my information. What happens when his server is compromised and the Apple IDs of people who were cheating the system get exposed? I personally have not heard of this before, but I also have absolutely no interest in this.

I am hoping the good that comes from this is people who are looking for ways to cheat and steal get exposed and punished, and Apple hardens their security.

Rene Ritchie says:

It was a judgement call and one I struggled with for a couple hours. When the story started getting reported more widely, and when it looked like "how-to" guides were being given rather than strict news coverage, and when the warnings about the possible dangers weren't getting the attention I thought they deserved, I wrote this.

When any crime gets big enough, it needs coverage. I don't believe in telling people how to commit crimes, but I do believe we have a duty to inform readers of the dangers they may face, and the costs associated, with those crimes.

Dev from tipb says:

As a (primarly sever-side) dev myself, I hate the possibility of my work being stolen, but you made the right call here.

Pitchforkz says:

some people stoop so low !

johntmeche3 says:

Like having their friends collect their records and then changing their number?

Freiteez says:

The reason this is news is to help expose this threat to apple and they can maybe come up with the fix. This isn't a how-to guide on how to do it.

Unfortunately there are things like this out there and once they are exposed enough the right people will see it and will find a way to block it or develop a way to fix it.

dloveprod says:

I still can't believe they charge up to $99 for smurfberries.

BeyondtheTech says:

Maybe we should give some fair warning to people who are contemplating about trying it:

1. You have to enter your iTunes credentials just like a real in-App purchase. Considering you're going through a stranger's proxy, you may be giving up that information into their repository. Whether they use it for their own malicious purposes, or if they turn around and expose it, hackers and Apple alike can see who used it.

2. The in-App purchase itself is faked, so trying to restore a purchase on another linked device or after a reinstall of the app is not going to work.

3. Developers do keep track by means of analytics, so if one day you have 5 Smurfberries and the next day you have 5,000,000 of them, but there's no sales to prove it for that day, well, you're basically caught. What they can do to you at that point is up to them and/or Apple.

4. When you change your DNS, you're routing all your requests to them like a proxy. There's no telling what else you're transmitting to them, like if you happen to launch your Facebook app, or if you've told your iOS device to poll the email server for new messages, or if you've logged into your bank's app, you're basically routing the DNS request to them, where they could be tunneling the request through another server to the respective service, all transparently. But while it's going through their proxy server, they could be logging all that information quietly for their nefarious purposes.

You've been forewarned.

Trexwarrior says:

Never heard of this hack until today. Seems like going way out of your way to hack cheap freebie apps. Anyone that's jailbroken knows to just download iAPcracker which does the same thing just locally on your phone. Also most apps that can be hacked are freebie apps that are usually low quality. Most games verify in app purchases with private servers anyways and will block said hacks.... This shouldn't even make the front page of iMore in my opinion. If you take into account the small percentage of people that jailbreak and the even smaller portion that would use the reported hack its not even worth the time reporting it. If they do get hacked and their payment info stolen it serves them right...

mcmillan27 says:

That's pretty pathetic to think people want to steal app like that. For crying out loud, most apps are $0.99. Heck, for one of the nicer apps its not much more than a cup of coffee. I'll just never understand people who do this sort of thing.

mjcarter says:

It's not stealing an app, rather it is to steal in-app purchases like game play dollars or coins or whatever may be used to upgrade your character or team in the app.

diggidy says:

Uhm...there has been a way to get iAP (In-App Purchases) for free for a long time. There is a tweak in Cydia called iAP. It allows you to essentially do the same thing without fake files or giving up your info. What most don't know is that the the content that makes up the In-App Purchases are downloaded to your iDevice when you download the free OR paid app. It's all part of the original download. iAP basically "unlocks" the already downloaded iAP. In-App Purchases can also be SSHed out of the .ipa file. I guess the fact that he's asking for donations makes this a story.

Jlh437 says:

Apps ok, but I really can't get myself to care about in app purchases being taken.

IamHahn says:

I'd presume you need to be jailbroken for this hack, which unfortunately taints the JB community as a whole. Its stuff like this that makes Apple weary of the JB community and their intentions, which is really unfair seeing as many just want to unlock the potential tweaks, themes and Apple unapproved apps. Malicious acts such as this is why Apple works so hard to make jailbreaking impossible, and why Jailbreak pioneers such as Pod2G, I0n1c and others have to work so hard just to obtain a safe JB.

As much as Apple wants to control how you use iOS and make sure your experience with their product is how they intended I truly believe they a far less concerned with people climbing out of Steve, Tim, et al's walled garden than people stealing from Apple and the 3rd party developers that help make iOS great. It's hard to refute the idea that the Jailbreak community has pioneered many features added into iOS over the years. Apple might not care for jailbreaking, but the innocous majority does benefit Apple in many ways. It's a shame that stuff like this happens, and causes even more negative publicity for the J B community.

berry15 says:

this isnt for jailbreak only devices, its for any...

Ricky Liu says:

Maybe you should do a bit more research before you post this article?

The hack does NOT require you to enter your App Store credentials, in fact you don't even need to enter anything. On the hacker's website, he posted instructions specifically telling you to log out of your App Store account before applying his DNS hack, so that your transaction information doesn't get sent to him. I'm not defending him or saying that he has no intent of stealing your information, I wouldn't know. But at least I know that without entering your logins during an app purchase or in-app purchase, there wouldn't be any information sent to the hacker, so that's pretty safe.

To be more specific, he stated that you can just enter any random login credentials (just make them up). But it turns out that if you cancel the purchase (thus requiring no need of entering the credentials), the in-app purchases will still work.

Furthermore, you can either cancel your credit card association with your Apple account if you're so worried of it being stolen, OR you can create a new Apple account with no specific information whatsoever, with no credit card tied to it, and just use link that account to your iDevice before you try out the hack.

Anyway, I'm not supporting this hack and I agree that this hurts the developers. But my point is, there really aren't any risks in using this hack like you've mentioned, so this doesn't stop people from using it.

Blaze99TollFree says:

Hey bro your exactly right. I think im still currently using the Iap jailbreak thing havent used my ipad in a while. And i had no problems with it. These people have no idea what they are talking about and there is no danger to IAPfree. Soo this whole topic is irrelevant haha.

d_la_roc says:

Stuff like this gives Jailbreaking a bad name. I jailbreak for the tweaks like SwipeSelection, SbSettings, and WeekillBackground. I find that using sites like Appshopper help you to get great games when they go on sale for free. I have over hundreds of good apps that I got all for free. You can follow me on Twitter. @D_LA_ROC I post free apps and games daily. I been doing it for about 3 years now. Or you can just use Appshopper. (Which is what I use and then I share them on twitter)

Barry Stephenson says:

This isn't about small in app purchases. This is about some developers who are fleecing people. When I see a pot of gold or in-game credit and the cost is 69.99. Such as Real Racing Three, then I want to steal from these people. Charge me 10 pound for Real Racing Three, and I will happily pay it. And even more. But use all sorts of ways to drip feed money from me, such as lengthy enforced services and repair times or car delivery times, then you will get what you deserve. IAP is literally ruining some games and is just an example of greed. I am happy to rip them off myself, and continue to pay to support the non-greedy developers.

Agnazrage GoW says:

THIS is how more people should feel about all of this. Why are there so many zombies chiming in with the "Gee golly, nefarious hackers are stopping poor developers from obtaining hard earned money!".

I don't know any game that's free and isn't built to twist your arm into making a car payment monthly to play the game how it was meant to be played. For example, Game of War. On startup you get hit with a full page advertisement prompting you to spend $99.99. Spending money like that on consumables that won't even last is what ruins games. Everybody trying to look down their nose is being unrealistic and idiotic.

Hacks like this don't take from legit developers. I actually prefer when an app costs me a few bucks to even download it. At least I know I won't get beat about the ears with timers and limited game play.

I don't utilize any hacks or JB myself, but a lot of people here need to pull their head out.

Doug-the-Dagger says:

And this is why you shouldn't purchase an apple product. As an avid Android user, you really don't have to worry about this. Google actually encourages you to mod your own system in this sense. And you can have multiple accounts on your device. So you can use the account that isn't linked to your credit card account to make these, " fake in-app purchases" with out fear!

Abhinav touchwizzed says:

this is why i prefer android over ios