quasar chemiluminescent: Stealing in-app purchases and what it could cost you

Saturday, July 14, 2012

Stealing in-app purchases and what it could cost you

There's a story going around today about a new hack that appears to allow users to bypass iTunes and steal in-app purchases "for free". I put "for free" in quotation marks because, as Ally pointed out in her editorial on app theft, there's no such thing as free. This time, however, the cost could be something more than money. The way I understand it, the hack in question uses a proxy, requires you to install a bogus certificate, and change DNS settings. That alows the transaction gets intercepted before it reaches iTunes, and that's what lets it cheat developers out of payment. It's also what could let the hacker collect all your information instead.

And that's dangerous.

There's a reason good guy hackers like the iPhone and Chronic dev team urge people not to steal apps -- it hurts everyone. A hack designed expressly to steal in-app purchases, by definition, isn't run by a good guy. The hacker in question is also asking for donations -- for money in exchange for helping you cheat developers out of the money they worked hard for and earned.

As proofs of concept, as a way to discover vulnerabilities that get passed on to Apple so they can be fixed, hacking and hackers can be extremely beneficial to harding security and making all of our iPhones and iPads safer to use.

This isn't that.

This is stealing, and while it will certainly cost developers money, it could cost you a lot more.

No way in hell am I trusting anyone to essentially man-in-the-middle my iTunes connections, and no way in someplace even darker and hotter am I helping them do it.

Cry FUD if you want, but for me, saving $0.99 on Smurfberries isn't worth exposing my data or account.

UPDATE: Matt Panzarino points out that properly secured in-app purchases are much harder to hack, and that Apple provides documentation for iOS developers on how to implement it.

App Store