iOS6 to address app store hacking vulnerability

Published July 25, 2012 6:21pm

First, the good news: Apple Inc. is working to fix a vulnerability in its App Store that allows a hack to potentially cheat developers of income by allowing free in-app purchases.

Now, the bad news: The fix may come in iOS 6, Apple's operating system for its mobile devices such as the iPhone smartphone, iPad tablet, and iPod Touch.

"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker," Apple said.

It said the user, with a certificate authority controlled by the attacker, can fool the Apple device into thinking the attacker’s server is an App Store server.

When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid, Apple said.

"iOS 6 will address this vulnerability," it said.

But for now, it urged developers to follow the best practices including:

Check that the SSL certificate used to connect to the App Store server is an EV certificate.
Check that the information returned from validation matches the information in the SKPayment object.
Check that the receipt has a valid signature.
Check that new transactions have a unique transaction ID.

It also urged developers to have their app perform receipt validation by sending the receipt to their server and having their server perform the validation with the App Store server.

A separate article on PC World said the App Store hack by Russian hacker Alexey Borodin lets iOS users trick the App Store into giving them in-app purchases for free.

The hack went public earlier this month. — TJD, GMA News

Tags: apple, appleios, hacking, hackers, hacked