If any of you can recall, there was a fiasco last week involving a hacker who managed to find an in-app purchase bug that lets him acquire in-app contents without paying a dime for them. The disturbing part is that the process involved for this particular fraudulent act is that it is quite simple to perform as it doesn't even require a jailbroken device. And there is the fact that it works from iOS 3.0 to iOS 6.0. This exploit is potentially damaging to app developers so Apple has responded to the situation and offered a temporary to the said in-app purchase bug.
As a response to this particular issue, Apple sent an email that directs to a new Apple developer web document that describes the in-app purchase bug and teaches the developers the possible temporary fixes including the implementation of UDID (Unique Device Identifier) receipt in validation receipts. The fruit company said that the bug will be completely squashed in the future updates for iOS 6. This is the email that has been sent to the developers:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
Contact Us for News Tips, Corrections and Feedback
Apple also listed the frequently asked questions by developers over the past days and provided the solutions / answers to them. This is obviously a stopgap solution at the moment but by bringing this to the attention of iOS developers, preventive measures can be made. A permanent fix should be well on its way perhaps in the next beta build of iOS 6. It’s good to know that Apple is already on the case. [via 9to5Mac]