Apple tries to block iOS in-app purchase hack, fails
Summary: Apple is working hard to fight the hacking of its In-App Purchase program for iOS. So far though, the company's attempts have not deterred Russian developer Alexey Borodin who apparently wants Cupertino to fix the underlying problem rather than just trying to block his in-appstore.com service.
By Emil Protalinski July 16, 2012
Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running anything from iOS 3.0 to iOS6.0 (the In-App Purchase program requires iOS 3.0 or later), allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and said it was investigating the issue. Ever since, Cupertino has been working hard to stop the attack, but it has yet to succeed.
Last but certainly not least, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale. Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack.