In-App Purchase Vulnerability To Be Fixed In iOS 6
According to 9to5Mac, Apple has offered developers a series of best practices to prevent the In-App Purchase vulnerability. Apple has also promised a full fix in iOS 6.
Last weekend, the advisement shown on this page was sent to developers in an email.
CNET was issued this statement by Apple:
“We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases,” Apple spokesperson Tom Neumayr told CNET. “This will also be addressed with iOS 6.”
Apple issued following note to developers on the iOS Developer webpage, along with a series of suggestions to help verify that in-app purchases were legitimate:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
News of the in-app purchase hack broke a week ago. Apple has made several attempts to prevent users using the hack. Coming from a Russian hacker, this hack allows users to avoid paying for in-app purchases by using a third-party server as a “man-in-the-middle” attack. Apple now includes the Unique Device ID (UDID) identifier in in-app purchase receipts in an attempt to increase the security of purchases.
Source: Mac Rumors