In iOS 6, coming this fall, Apple will fix a security vulnerability in the App Store's in-app purchasing process that allows "man-in-the-middle" style attacks, steals from developers, and potentially exposes user account data to hackers. This according to a new, publicly-available support document posted to developer.apple.com on in-app purchase receipt validation on iOS. Apple's preamble states:
Matthew Panzarino from The Next Web points out that Apple is exposing some private APIs (application program interfaces) to developers as part of the short-term fix:
Apple typically scans for, and automatically rejects, any app that uses private API. The reason for this is, unlike public API which cary with them the promise of future compatibility and support, Apple can and will make changes to private API at any time, potentially breaking apps that rely on them.
Exceptions to the prohibition on private API are almost unheard of, which shows both the importance of the fix, and short period of time it's meant to cover (less than 3 months).
Since the security vulnerability was discovered and exploited, Apple has been engaged in a back-and-forth series of actions against the hacker in an attempt to prevent any theft of developer assets or user data. While the process has been successfully used to steal in-app purchases without paying for them, it's uncertain if any account information has been compromised. Even if it wasn't, and even if this hack, in this case, was aimed at developers rather than users, it doesn't mean the next one, using the same or similar exploits, won't specifically target user account data. Apple has to fix it and make the fix stick.
iOS 6 was announced at WWDC 2012, is currently in beta, and will be made publicly available this fall, likely alongside the next generation iPhone 5.
Until then, for developers who rely on in-app-purchases, it looks like there's some work to do to tighten up security in the meantime.
For users, while the prospect of free Smurfberries might sound enticing, essentially breaking open your iPhone or iPad's security and passing all your transactions through a hacker's servers, potentially exposing your iTunes account and related credit card information could end up being a much, much higher price to pay.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.