Apple Takes Down Server That Allowed Free In-App Purchases

Previously, we had reported that a Russian hacker had figured out a way to get in-app purchases for free, in iOS. It was a quick 3 step process that installed a certificate and changed DNS settings on your device, redirecting to a different server..

Now, it seems that Apple has taken down the server that was used, stopping the free in-app purchases from happening. Apple contacted the hackers server provider and pressured them to take it down. They complied without argument. Apple also got YouTube to remove the video that the hacker posted, showing the steps you have to take to perform this hack. The hacker was accepting donations, via a PayPal account, and Apple has gotten PayPal to disable that account.

Apple representative Natalie Harrison had this to say on the issue: “The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.

The hacker has since moved his “service” to a new, off shore server cutting out Apple’s servers. Here’s what The Next Web reported the Russian hacker told them:

Borodin tells us that the new service has been updated and cuts out Apple’s servers, “improving” the protocol to include its own authorisation and transaction processes. The new method “can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled.”

The signing process has also been adapted to ensure that users cannot use Borodin’s service without first signing out of their iTunes account. The reason for this? “They [the users] need to sign out so they don’t scream to the Internet that I am stealing their credentials.”

In simple terms, it should mean that device details are not stored on the server. However, given the very nature of the service and the fact the servers are located in an ‘offshore’ country, we can’t stress enough the real privacy and security implications of using such a service (but also from a moral and legal perspective).

The service is still up and running, but the hacker did not share the new server with The Next Web. The hacker says he is not logging any info from users devices, but it’s probably not a good idea to trust some one who is blatantly and publicly showing people how to rip off Apple and it’s developers. My advice would be to stay away from this.

  • swotam

    Good news, the sooner Apple takes down guys like this the better. I’ve got no problem with devs who identify problems and advise the company of them, but posting instructions online that people then use to steal product goes over the line IMO.