“A Russian developer has published a method of obtaining in-app purchases from iOS apps for free,” Jordan Kahn reports for 9to5Mac.
“The ‘in-app proxy’ method does not require a jailbreak, can be completed by novices in three steps using just an iOS device, and allows users to install in-app content for free,” Kahn reports. “The hack also works on all devices running iOS 3.0 to 6.0 We have confirmed the method works (at least temporarily), and the published instructions are starting to get attention, so we decided to publish this story as a warning to the Apple developer community.”
Kahn reports, “The hack appears to have come from Russian developer ZonD80… [who] appears to run a website called In-AppStore.com where donations are being accepted to support the development of the project and help keep servers up and running… Apple does provide a method for developers to validate receipts for in-app purchases. This is likely why the hack… does not work with some apps and is something all devs implementing IAP should be taking advantage of.”
Read more in the full article here.
MacDailyNews Take: Apple to correct this in 3… 2…
We do not endorse this technique or recommend that you use it. Do not steal.
i haven’t read the article yet, but if he can do it.. It’s a matter of time before others can spoof the exploit (if it needs some specific networks etc as you said) and replicate it.
Apple can/will track you if you try and exploit it. You’ll get caught.
I bet in app purchases will be turned off for a while now.
How cheap can people be? Apps are already pretty low cost. The world would go under pretty fast if everyone was deprived of their rightful working wages or fair compensation. Developers need $$$ love too.
There’s actually a lawsuit against Apple because some “Free” children’s apps allow in app purchasing with no password if completed within a few minutes of the free app being installed, and in some cases these in app purchases can cost a few hundred dollars. Kids were getting their parents to give them a password to install a “free” app then scamming them for a lot of money after the purchase.
There should be a cap on how much an in app purchase can cost for a free app, and at least no free app should be able to do a no-password in app purchase.
“children’s apps allow in app purchasing with no password if completed within a few minutes of the free app being installed”
Just an update, this has since been fixed, yes, but still it was a valid issue.
How do you get that “profiles” section to show up in the Preferences/General screen? I don’t have it.
That section only shows up only if you have profiles on the device. Grab Apple’s iPhone Configuration Utility if you want to experiment with creating and installing configuration profiles.
I won’t be downloading anything for free through the exploit. I believe in fair compensation so I purchase the music and apps I use.
I buy alot of apps, as well as music thru my iphone and ipad. The cost is certainly reasonable for 99.99% of the apps, and if you own an ios device, are you really that broke, that you need to resort to this?
Thanks for supporting stealing MDN
Oh grow up!
It is unfortunate we still have people who want a free ride. No reason at all for theft. Thefts need their hand cut.
I hope Apple unleashes its Javerts on this.
Javerts? Sorry, don’t know the term.
Exactly! Though the sites servers are down by now, according to two other sites, why not post the info and NOT promote the video/details?
I’m not a developer, buy apps often, but clearly don’t get the need to post the “how to” part…unless it’s to get hits for MDN? Nah, they wouldn’t bend over that far for hits…hmm, or would they?
Russia: amazing what you can offer society when you have a bottle of vodka & a komputeЯ
MDN is a news site. This is news. Half-assed reporting on it by not pointing to YouTube doesn’t help anyone as it’s really not that hard to find on YouTube or other news sites. It’s better for everyone to fully report what’s happening here.
I doubt any developers are going to get hit significantly on this if at all. More than likely, the proxy will be shut down soon, and Apple will fix this.
Any user who would submit their Apple ID and password to someone in Russia who enables their theft is as stupid as they are greedy and will end up getting what they deserve.
hmmm…. you have to go to their site and install their certificates…. don’t know much about iOS Config Utility…. but could this give them some access to your phone that you wouldn’t want them to have ? kind of like installing spybots or something ?
People who would resort to something like this are pretty pathetic. The cost of apps and content really is a bargain in the vast majority of cases.
Not condoning piracy, but I can at least understand it when it comes to something like Adobe’s Creative Suite, which costs hundreds of dollars. But why rip off an app that costs less than a Starbucks latte?
And there are legitimate ways to save yourself even that tiny amount of money — frequent special sales that are widely publicized, give-away contests, apps such as FreeAppADay and App Nana…
I dunno, maybe it’s a sickness. Cyber kleptomania.
I jailbreak, and I pay for my apps and in-app purchases.
Hacks like this make us all look bad.
I hope they fix it soon.
can be completed by novices in three steps using just an iOS device
I hope this is NOT the iOS hack for which the US federal government recently paid $250,000. Darn oh darn. 😛
the three steps of the hack, which include the installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings.
Anyone remember when security certificates were supposed to actually be ‘secure’? So much for that technology.
Not ironically, I posted a blog article last week entitled:
CRAP Internet Computer Security For The Last 14 Years