Never miss an update

Apple is working to block the in-app purchase hack done by a Russian hacker

Last Friday, a Russian hacker, Alexey V. Borodin, published a hack to circumvent the Apple’s verification system for in-app purchases. This hack allows to get in-apps items without paying. In fact, it is a proxy that masquerades as the Apple validation server of in-app purchases to allow the illegally install of paid content within an application, for free. The hack is so simple that a novice user can do it. Find out more detail after the jump.

Published: Monday, 16 July 2012 21:02
Imprimer E-mail

Important note: neither approves nor endorses this kind of illegal activity because it is a clear violation of the end users license agressement of Apple iPhone, iPad or iPod Touch. The hack is mentioned here for informational purposes.


The hack, created by Alexey V. Borodin, could make developers, who worked hard to create their applications iOS, lose a lot of money, until Apple fixes the flaw. A video demonstrating the manipulation was even posted by the hacker.

Technically speaking, you must install a forged digital certificate on your iOS device. With this, the device thinks it connect to Apple’s validation server for in-app purchases. The server behind the forged certificate is in fact one set up by the hacker. This server would then send a validation code, which is normally sent by Apple's servers, to the application withinh which you are doing the purchase. Once the validation code received, the app validates the purchase and provides free access to the paid content.

The hack does not require a jailbroken device unlike some other hack available on the web. Nevertheless, it seems that this hack does not work with all applications. Apps for which the workaround does not work are mainly those implementing systematic verification through Apple in-app purchases verification servers.

Apple is, fortunately, aware of this workaround and is currently working to block it. As of now Apple has apparently ask to block the IP address of the fake validation server set up by the hacker. In an interview available on the web, Borodin indicates that the validation method developed by Apple will not protect the application of the hack.
Following the blocking of IP requested by Apple, the hacker's server have apparently migrated to another host outside Russia. Paypal took also actions by blocking the Paypal account used by the hacker to receive donations stating that there is violation of its terms and conditions of service.


 Unfortunately for Apple, the fake validation server developed by the Russian hacker is still active. Moreover, it has been updated to cut off all communication with Apple's servers and also to include an improved management and authorization program of in-app transaction. The update do not use anymore the proxy set up to simulate the validation server from Apple.
Borodin added that the new update forces users to disconnect from their iTunes account, to avaoid their bank details are not stolen, given that there's no more need to use the iTunes account.

Apps developers have to worry a lot if they do not update their apps to use the Apple’s checks servers. Technically speaking, with this method the app will verify that the certificates used by Apple servers are the one it expects. This method is fairly simple to implement and it is mainly the reason why the hack set up by the Russian hacker does not work on certain apps.

For the moment, Apple has not contacted Borodin, but the company is probably already aware of the issue. Of course, recommend you not to use this kind of hack because the risk that your personal data (i.e : banks data) be stolen by a man-in-the-middle.


Never miss an update


Comments (0)

Rated 0 out of 5 based on 0 votes
There are no comments posted here yet