Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Russian Hacker Sidesteps Apple iOS In-App Purchases

Soulskill posted about 2 years ago | from the price-is-right dept.

IOS 142

An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.

cancel ×

142 comments

Thanks Slashdot! (5, Informative)

CajunArson (465943) | about 2 years ago | (#40639973)

Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

Re:Thanks Slashdot! (5, Insightful)

chinton (151403) | about 2 years ago | (#40640015)

I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.

Re:Thanks Slashdot! (2, Insightful)

i kan reed (749298) | about 2 years ago | (#40640025)

Where the "something" in this case are the states of Boolean variables. Not illegal.

Re:Thanks Slashdot! (-1)

Anonymous Coward | about 2 years ago | (#40640059)

Interesting logic. You don't pay for downloaded media or software, either?

Re:Thanks Slashdot! (2, Insightful)

Black LED (1957016) | about 2 years ago | (#40640095)

I think this is different. The data for the in-app purchases already exists on your device. You have every right to manipulate the data on your device, computer, whatever in any way that you want. So long as you aren't then redistributing that data, there is no problem.

Re:Thanks Slashdot! (1)

Dog-Cow (21281) | about 2 years ago | (#40640117)

That is not true for all such purchases. In fact, I'd wager that a significant minority, if not out-right majority, involve downloading something.

Re:Thanks Slashdot! (5, Insightful)

nitio (825314) | about 2 years ago | (#40640235)

Not true. YMMV but consider that most likely what you bought is a license to run the software (not the software itself) therefore the software in question - and the data - are still owned by the company that sold you the license. Copyright and all that shit

Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.

You know what the best alternative is? Pay the extra or don't pay from the beginning. Simple as that.

Liar (3, Informative)

SmallFurryCreature (593017) | about 2 years ago | (#40640585)

You must be one of those kiddies who shit their pants at the thought of violating a EULA or live in corporate USA. But for normal people in the free world, you are free to do anything to any bit on your computer.

EULA's cannot take away fundemental rights and I have the right to remix, video/music and data anyway I want. FOR MYSELF! As long as I do not redistribute copyright material YOU FUCKING MORON, copyright laws are not applicable.

And this guy is NOT distributing copyrighted material that does not belong to him, he is merely distributing the tool to allow others to modify theirs. So unless you were stupid enough to elect politicians who voted for the DMCA and other such bought laws, there is NOTHING illegal about any of this.

If you had a brain and did not just suck corporate dick you would know that the modding scene does this kind of thing routinely AND with encouragement. Create a new map using copyrighted resources? Go right ahead. As long as you only distribute the new map, not the textures and other resources from the game (which shouldn't be needed because the person downloading the map already has them from his own game).

Oh and it has been proven by the court that software licenses do not work as your diseased mind think it does. You can sell on software. When I buy software, I am free to modify it in any way I want. Good luck trying to enforce anything else in the free world. It would actually be rather nice if it was the other way around. Then software companies would also have to accept 100% liability for anything their software does on MY hardware. After all, it is THEIR property right?

Take Bill Gates dick out of your mouth long enough to get some fresh air and see if you can get that peanut in your head to think some independent thoughts.

Re:Liar (0)

Anonymous Coward | about 2 years ago | (#40640757)

I have not seen a more disillusioned rant than this in a very long time.

Re:Liar (3, Interesting)

nitio (825314) | about 2 years ago | (#40640815)

Hm, no I don't live in corporate USA though I'm trying to figure out which part of the free world you live. Care to share? Just curious. I live in Brazil so I'm not sure if you deem it as free or not. Not that I care that much.

I think I had made myself clear when I said "Copyright and all that shit" suggesting I don't agree with copyright legislation they way it is pretty much everywhere and the "YMMV" sort of implies that my point of software license isn't true all the time. I'm sorry if I haven't shouted or something to bring my point out

Regarding company liability- as it is with anything legal it's always not 100% true or false but you can think about the Sony Rootkit CDs which, well, made them liable for the software it installed doing unexpected things in people's hardware. You don't need to agree with me neither counter it, I'm simply suggesting that as one example where the route can be taken the other way around.

Now, to best part of your arguments, which is name calling. Might I suggest you avoid that? It doesn't add anything to anybody or the discussion. Sure you had your point - which is valid, I agree, though there are specifics. I don't think most companies that allow mods to happen are happy if people start making money out of it OR take their money because of it.
But when you name call, your argument is lost because you found someone who disagrees with you

But hey, at least you imply iyou have independent thoughts!


PS: Bill's dick wasn't that good.

Re:Thanks Slashdot! (1)

Anonymous Coward | about 2 years ago | (#40640693)

I'm not buying that. If a text file comes with a license that says "do not modify this text" and you add "hello" to the top of the file, so long as you aren't distributing your modified version, there isn't a thing that the licensor can do to you.

This is my device, this is my computer. I can change any data that I want on it. No license can deprive me of my freedom to do so.

Re:Thanks Slashdot! (0)

Anonymous Coward | about 2 years ago | (#40640695)

>bought is a license

A license I did not sign is not binding. I bought and paid for the physical copy and not some weird-ass other shit, copyright is very clear on that. The amount of newspeak in your post is worrying (although you heard that probably from one of those untrue commercials).

Of course they can put whatever junk they want on the disc, however I can do whatever I want to it, including using it as a frisbee or decoding the data on it since I own the thing.

Re:Thanks Slashdot! (2)

legont (2570191) | about 2 years ago | (#40640897)

This is exactly why I personally try to avoid any paid software and such like a plague and use free source. It's not because I mind paying - I actually want to pay people for their work - but because I feel that if I bought something, it is unconditionally mine to do whatever I want with it. Yes, the law is currently different; yes we shell try to change it. Meantime, I just don't buy that kind of products unless absolutely unavoidable. For example, I'd love to have iPad - it's great - but I will not buy it ever.

Re:Thanks Slashdot! (1)

i kan reed (749298) | about 2 years ago | (#40640835)

Of course I do. Software is an organized large collection of data arranged in a novel way. On the other side: you can't copyright "true". Setting one bit on data you already possess is not copyright infringement. You're crazy.

Re:Thanks Slashdot! (1)

Ken_g6 (775014) | about 2 years ago | (#40641797)

Interesting logic. You don't pay for downloaded media or software, either?

Actually, I don't think I ever have. I only get Free (as in speech) software, free (as in beer) software, Free media, and free media (as in YouTube or what I get with my TV tuner card.)

But, then, I don't have any Apple devices.

Re:Thanks Slashdot! (4, Interesting)

Sarten-X (1102295) | about 2 years ago | (#40640105)

Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?

Re:Thanks Slashdot! (1)

Anonymous Coward | about 2 years ago | (#40640189)

> It's not like anybody had to put effort into making those variables do anything,

So what?

> These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

I pay for the storage system. Everything else is without embued value, correct (human effort is a weasel phrase to corrupt the point; effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession. I have no moral responsibility to give credit, so I don't feel guilt. I also don't feel hungry after I eat. It's the common human condition. Welcome to the world.

Re:Thanks Slashdot! (1)

Antipater (2053064) | about 2 years ago | (#40640313)

(human effort is a weasel phrase to corrupt the point; effort does not equate to value)

Thanks so much. I haven't gotten a laugh like that since someone told me that Mormons attacked the US on 9/11 Tell me, how does it feel to live in a world where you never pay the labor cost associated with something?

Re:Thanks Slashdot! (2)

fredprado (2569351) | about 2 years ago | (#40640599)

I don't agree with everything the GP said, but he is right on the excerpt you decided to quote. Effort does not equate to value. You can run in circles loaded with rocks all day long and you will be producing very little value, for example.

Re:Thanks Slashdot! (0)

Anonymous Coward | about 2 years ago | (#40640795)

But if you were running around in circles loaded with rocks all day because I asked you to, would you do it for free? Whether software being sold is complete garbage or useful and well-made is irrelevant to the fact that if you want that software, it should be exchanged in an agreement with the author (and if said author wants to distribute the software for free, great, such is his prerogative).

Re:Thanks Slashdot! (1)

Dishevel (1105119) | about 2 years ago | (#40641905)

I did not ask the developer to develop. So the case you provided does not equate with software.
Not saying right or wrong. Just stating that the GP and GGGP are correct in that.
Personally I do not like software copyright. I think the current implementation of the laws are at best stupid.
I think we could have a much bigger effect by just ignoring there shit product though.
As long as we are "Stealing" it these people have a leg to stand on with the people that count. (Lawmakers)
If we decided looking at the entire product that it is as presented "shit" and just left it sitting there developers and studios would get the hint and produce content we want.

Re:Thanks Slashdot! (1)

Sarten-X (1102295) | about 2 years ago | (#40640939)

Unless someone values you running in circles with rocks enough to expend their own effort in some other way (like earning money with which to pay you). Maybe you're supposed to be testing the durability of flooring under heavy load, but I digress.

Exerting effort does not inherently require that someone else value it, but all value is derived (either directly or indirectly) from the exertion of effort. However, as a society we have generally held that all effort is valued when it benefits someone else. The exception to this rule is slavery, where a person's effort benefits someone else, but the person exerting the effort does not have the freedom to choose the value of their work.

Re:Thanks Slashdot! (1)

spire3661 (1038968) | about 2 years ago | (#40640857)

The problem is labor cost is often disconnected to the actual cost of the product. Should I pay for Max Payne 3 knowing the entire studio was just let go. Should I pay for Kingdoms of Amalur knowing the entire studio is dead and the owners ran off with the money? Paying for these products simply makes the money go down a hole.

Re:Thanks Slashdot! (4, Insightful)

Sarten-X (1102295) | about 2 years ago | (#40640467)

...effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession.

So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own? Apart from things you've put forth effort to produce, or put forth effort to earn the money to pay others to produce, what do you now possess that is of value?

Everything of value in this world is valued because of the human effort it took to produce it. Metals must be pulled from the Earth, ores must be smelted, and products must be assembled. Information must be conceived, clarified, and codified.

I have no moral responsibility to give credit, so I don't feel guilt.

I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

Re:Thanks Slashdot! (1)

scot4875 (542869) | about 2 years ago | (#40641027)

I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

I'm a programmer. I can only speak for myself, but value physical and mental effort roughly equally.

However, what in-app purchases I see on the app store disgust me. I'll use a recent example of a game I downloaded: it was a decent enough tower defense game -- one that I'd have paid a couple bucks for to compensate the developers. However, there is no paid version; the only method of compensation available is via in-app purchases, where you can buy virtual money to pay for upgrades. The lowest level purchase costs $2.99 and gets you enough money to pay for 1/2 of a level of an upgrade. There are literally hundreds of levels of upgrades. The highest level purchase is $29.99 and gets you enough for about 6 full levels.

Fuck that. That is absolutely insulting. To spend $30 and not be able to unlock pretty much everything is ridiculous -- and the game doesn't have nearly enough content to make it worthwhile to keep playing to try to max out the upgrades and see how high a score you can get; it "ends" with barely 20% of the stuff being unlocked. If there were simply a $3-$5 buy option, I'd have paid for it and wished the developers well; when they try to milk $30 purchases out of people by using a scoring system that requires a bunch of repetitive play just to have an option to even *get* the highest score, they can starve for all I care. If I'd cared enough, I'd have just written a trainer to go in and add as much cash as I wanted and then published it to the Play store as a special screw-you to the developers.

If your game requires upgrades to do well, you'd better damn well make sure that the upgrades happen as you work through the game. Games that reset to the beginning after every play have no business going with this model. I didn't have to play through Super Mario Brothers 1000 times just to unlock all the options to get a chance to get a high score, and the fact that people somehow think this is an acceptable way for a scoring system to work now (shit like Temple Run) is just sad to me.

--Jeremy

Re:Thanks Slashdot! (1)

Sarten-X (1102295) | about 2 years ago | (#40642061)

I'm a programmer too. I can only speak for myself as well, but fuck everything about that pricing.

It's pretty obvious that the authors are grossly overvaluing their work. This still doesn't give potential customers the right to force them to accept a different valuation, though. The options are to pay the high price, don't use the upgrades, or try to communicate with the authors to negotiate a more reasonable deal.

Re:Thanks Slashdot! (1)

Bert64 (520050) | about 2 years ago | (#40641493)

For metals pulled from the earth and smelted, and products which are assembled a high level of effort must be expended for each and every product...

For any form of digital media, effort may well have gone into creating the initial version, but all subsequent copies were produced trivially... So by extension, only the original has any value and all the copies have little or no value.

Or you could argue that the value of the media should be split equally amongst each produced copy...

To declare that trivially produced copies hold value would in effect be to declare that the work has infinite value, since infinite additional copies can trivially be produced for no additional effort.

Re:Thanks Slashdot! (1)

Sarten-X (1102295) | about 2 years ago | (#40642041)

Or you could argue that the value of the media should be split equally amongst each produced copy...

This is exactly what I'm arguing for, but recognizing that the number of sales is generally unknown at the time the pricing is set, and almost definitely unknown at the time the initial effort is put forth.

I doubt it's possible for Duke Nukem Forever to ever sell enough copies to make up for the amount of effort that went into making (and remaking, and redesigning, and remaking) it. Of course, 15 years ago, that seemed entirely likely, and maybe even with a hefty profit because consumers would (in total) value the game more than the total agreed value of the programmers' effort making it.

To declare that trivially produced copies hold value would in effect be to declare that the work has infinite value

I can declare that with anything, easily copied or not. I keep a rock on my back porch. It's unique, and I exerted effort to find and recover it. I value that effort at $1,000,000, because I can. Of course, nobody else will value it that high, so nobody will purchase it from me. Similarly, I can produce an infinite number of copies of my software, but eventually I will run out of people who will buy the copies, because they value it less than I do. Eventually, the valuation of each copy (as decided by the buyers) approaches zero, establishing an upper limit on society's valuation of my software.

Of course, that upper limit may be many times higher than what I paid someone else for the education, equipment, marketing, and distribution of those copies, so I could make a significant profit. For producing something that society values that highly, I see nothing wrong with that.

Re:Thanks Slashdot! (-1)

Anonymous Coward | about 2 years ago | (#40640269)

Go ahead and build your cities on the slopes of Vesuvius. Don't cry to me when the mountain erupts on your dumb ass. I suppose you'll whine about how Andromeda's going to crash into the Milky Way in a few zillion years.

Looks like some little piggies better build their houses out of bricks. Blah, blah, blah hens baking bread, ants and grasshoppers, etc, etc...

Re:Thanks Slashdot! (1)

Serious Callers Only (1022605) | about 2 years ago | (#40640147)

Where the "something" in this case are the states of Boolean variables.

Is that the same sort of boolean as the states of Legal/Illegal, or some other rarefied form with which we are not familiar?

Re:Thanks Slashdot! (0)

Anonymous Coward | about 2 years ago | (#40640745)

And physical products are "just" the states and arrangements of atoms. Does this make it ok to steal physical products as well?

Re:Thanks Slashdot! (-1)

Anonymous Coward | about 2 years ago | (#40640045)

Stealing jewelry from a store involves depriving the owner of jewelry they can no longer sell to someone else. Making an unlicensed copy of software does not do this. The author is still free to copy it fifteen billion times if the demand arises.

Try thinking before opening your mouth [keyboard], then your moronic analogies won't make people think you're an idiot as often.

Re:Thanks Slashdot! (2)

Sarten-X (1102295) | about 2 years ago | (#40640289)

The effort spent to create the software can no longer be sold to someone else, either.

Instead, the author has worked out a plan for the pricing structure necessary to be fairly (in his or her mind) compensated for the time and effort, and making unlicensed copies is effectively removing a unit of income from that plan. The author could rebuild the plan to accommodate the lost payment, but now has to account for a smaller market, as well. Sure, the author can copy it fifteen billion times, but likewise a jeweler can spend his life making fifteen billion pieces to hand out to every cheap bastard who wants one.

Re:Thanks Slashdot! (0)

nedlohs (1335013) | about 2 years ago | (#40640653)

making unlicensed copies is effectively removing a unit of income from that plan.

If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale. That doesn't change that it can be sold to other people though, so it can still be sold to someone else.

Sure, the author can copy it fifteen billion times, but likewise a jeweler can spend his life making fifteen billion pieces to hand out to every cheap bastard who wants one.

I'm pretty sure that typing:
n=1
while true
do
        cp it it.$n
        n=`expr $n + 1`
done

doesn't take an entire life. Sure it'd waste disk space and be rather stupid to do, but I just did it for free (though I didn't try it so there's probably an error)...

Re:Thanks Slashdot! (0)

Anonymous Coward | about 2 years ago | (#40640969)

I love this line "If the person who got a copy free was going to buy it in the first place". You aren't going to live forever in the first place, so what difference is it if someone kills you today? I mean can it really be called murder? I mean you were going to die anyway! Whats the big diff?

Re:Thanks Slashdot! (1)

Sarten-X (1102295) | about 2 years ago | (#40641379)

If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale.

That's not their decision to make, though. The author, being the one who exerted the effort, chooses the value of his work. A buyer can either accept the valuation and receive the results of the effort, reject the deal, or suggest a different value that the buyer may agree to.

At no point, however, is it fair for the buyer to unilaterally decide to have the results of the effort without paying in return. That infringes the producer's freedom to choose the value for his work. A geologist being told that the expedition to a tropical island to find a new oil field was really a vacation, so he won't be paid, is unfair in the same manner. The person doing the work is denied the ability to bargain.

Sure it'd waste disk space and be rather stupid to do, but I just did it for free

If you value your effort that little, that's your right. Personally, as an author of a few FOSS programs, I like that, but you do not have the right to force that valuation on someone else.

Re:Thanks Slashdot! (1, Informative)

CajunArson (465943) | about 2 years ago | (#40640065)

Since apparently the 10 remaining people on Slashdot now all have Aspergers, you should note that my first post was meant to be sarcastic and facetious.

To any Apple Security Service (A.S.S.) personnel, I would like to note that I do not own an i/Phone/Pad/whatever and therefore have no interest in stealing your precious apps. Oh wait.. I just realized that not owning an iWhatever makes me an even bigger criminal than that Russian dude! Time to flee the country (again)!

Re:Thanks Slashdot! (-1)

Dog-Cow (21281) | about 2 years ago | (#40640129)

I hope you die. Seriously. The suggestion that you are a criminal for not owning an Apple device is so pathetically un-funny that you should just give up and kill yourself.

Re:Thanks Slashdot! (-1)

Anonymous Coward | about 2 years ago | (#40640201)

Hoping that someone dies over a slashdot post is so pathetically out-of-touch with reality, so hateful, and so bigoted, that I'm certain this world would be far better off without you in it. Seriously.

Re:Thanks Slashdot! (-1)

Anonymous Coward | about 2 years ago | (#40640721)

But by not buying an iDevice, he is "stealing" that profit from right out of the hungry mouth of the Apple Corporation!

Lighten up Francis. Just because YOU didn't think it was funny doesn't mean the rest of the world won't. Time to unwad your lacy panties a bit. Your reply was about 100 times more pathetic than a semi-lame stab at humor.

Re:Thanks Slashdot! (1)

ganjadude (952775) | about 2 years ago | (#40640863)

what is with the low UIDs comeing out of the woodwork to troll lately?

Re:Thanks Slashdot! (1)

Bigbutt (65939) | about 2 years ago | (#40640925)

Slashdot's user database was hacked and all the passwords are on one of the hacker sites. So it's not who you think it is.

[John]

Re:Thanks Slashdot! (0)

Anonymous Coward | about 2 years ago | (#40640167)

He didn't take it. He asked them to give it to him, they did.

Re:Thanks Slashdot! (0)

Anonymous Coward | about 2 years ago | (#40640365)

"I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it"."

Except if it's an MPAA movie or an RIAA-affiliated music label. Then it's okay.

#slashdotlogic

Re:Thanks Slashdot! (1)

XxtraLarGe (551297) | about 2 years ago | (#40641075)

The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

It was a joke, I think you missed the reference [imdb.com] .

Re:Thanks Slashdot! (1)

sl4shd0rk (755837) | about 2 years ago | (#40641273)

"if you don't want to pay for something it doesn't give you the right to take it"

Like private data on someone's mobile device?

Now you know. Now don't do it. (0)

jellomizer (103300) | about 2 years ago | (#40640247)

Also I wouldn't publish or use his findings. Because if you are caught you are in trouble.
There is getting pirated material from an other site (The Site owner takes some (usually the bulk) responsibility for the failure) is one thing. Actually trying to get the data straight from Apple Store, is stealing. If caught you are going to be responsible. Being that this is costing Apple Money, you will bet if they are nice they will charge you for the Apps you downloaded, if not they will fine you a much higher amount for stealing from them. If they are really going to be bastards about it they just may send the police to knock on your door. Just pay the freaking couple of bucks for the app. It isn't worth the risk of getting caught.

Re:Thanks Slashdot! (4, Informative)

Quila (201335) | about 2 years ago | (#40640271)

It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

Re:Thanks Slashdot! (1)

tlhIngan (30335) | about 2 years ago | (#40641743)

It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt). Which means if you attempt to buy it again, Apple basically doesn't charge you (the receipt says you already bought it).

For stuff like DLC, it makes sense - you won't lose the item you bought if you delete and reinstall the app later.

For stuff that's a purchase for something repeatedly, you can't check receipts (e.g., smurfberries, where you can pay $99 multiple times).

Plus, apps sometimes like to be able to give stuff for free, which they can implement any which way to check as Apple won't have a receipt (so it's a lose-it scenario if you uninstall and reinstall and the app doesn't back that information up).

Take it down! (-1, Troll)

billcopc (196330) | about 2 years ago | (#40640003)

This is moronic to have posted on /. and should be immediately taken down.

Re:Take it down! (0)

Anonymous Coward | about 2 years ago | (#40640079)

ROFL

Yes because anything that may interfere with the reality distortion device should never be on public display.

Meanwhile, suck it, Apple lover.

Re:Take it down! (0, Troll)

billcopc (196330) | about 2 years ago | (#40640177)

Eat a dick, AC.

What I'm saying is, if it's a slow news day, then let's not stoop to advertising black-hat services. I know the quality of posts on here has gone to shit, but this takes the cake. The shit-cake.

Re:Take it down! (-1)

Anonymous Coward | about 2 years ago | (#40640385)

Posting this vs the dozens of anonymous or lulsec articles w/ pastebin links to 1000s of password tokens is any different to this? Oh wait, you only bothered to RFA article this time cause it had the word Apple in the title and you got butt hurt to see your beloved brand get owned by such a simple hack.

Re:Take it down! (2)

MickyTheIdiot (1032226) | about 2 years ago | (#40640561)

No no no.. it's a PRO Apple Store topic. This just means now all developers will have to use the new validation method. It's exactly what Apple wants....

I'm gonna buy (5, Funny)

Culture20 (968837) | about 2 years ago | (#40640027)

a wheelbarrow of smurfberries!

Re:I'm gonna buy (-1)

Anonymous Coward | about 2 years ago | (#40640047)

It just works!

Re:I'm gonna buy (0)

Anonymous Coward | about 2 years ago | (#40640119)

zynga poker chips, then sell them on ebay and get real $$

Pay the price (4, Insightful)

Sponge Bath (413667) | about 2 years ago | (#40640051)

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

Re:Pay the price (4, Informative)

tlhIngan (30335) | about 2 years ago | (#40640157)

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).

It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).

The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.

Re:Pay the price (-1, Flamebait)

jellomizer (103300) | about 2 years ago | (#40640315)

Apple has became one of the richest companies in the world due to poor financial tracking.

Re:Pay the price (1)

coinreturn (617535) | about 2 years ago | (#40640513)

-1, pulled this statement directly out of your ass.

Re:Pay the price (0)

Anonymous Coward | about 2 years ago | (#40640535)

In some universe, in some place and time, this might make sense. In this universe, this is complete nonsense.

What in hell are you talking about?

Who had such poor financial tracking that Apple became one of the richest companies in the world?

Are you saying the sale of millions of products, from computers, to phones, to tablets has nothing to do with their making a significant profit?

Whoosh. Your comment went completely over my head....

Re:Pay the price (1)

jellomizer (103300) | about 2 years ago | (#40640677)

Yes it did. I was supposed to be sarcastic.
But I guess with a lot of the Anti-Capitalist Everything point of view that is popular, I guess you would think I was being serious.

The point is if you are going to get free stuff from the Apple store... Apple is going to cramp down fast and hard, as you are directly taking money away from them.

Re:Pay the price (1)

Iniamyen (2440798) | about 2 years ago | (#40641455)

The sarcasm is strong with this one

re: Crime names (1)

pyzondar (1234980) | about 2 years ago | (#40640549)

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

The crime of forging receits is called Uttering. I would be fine with fraud as well, but calling it theft is just retarded.

Russia must be one hell of a land... (0)

bogaboga (793279) | about 2 years ago | (#40640053)

I say this because in this vast country, major break throughs in the tech world have a hand in Russia. I would label Russia as fertile waters to fish for good, competent hacker talent.

Re:Russia must be one hell of a land... (0)

Anonymous Coward | about 2 years ago | (#40640135)

Idle hands are the devil's play things.

scruples (2)

v1 (525388) | about 2 years ago | (#40640115)

Tricking an app store into giving you free game boosters is one thing, but then soliciting donations to upgrade the system is surprisingly brazen. A bit like the difference between pirating movies to watch, and selling pirated movies on the corner.

Does it really leave evidence of stealing IAP ? (2)

lymang (207777) | about 2 years ago | (#40640123)

So apparently you could do this already if your iDevice was jailbroken? I wonder if that method leaves any kind of evidence or not. Does this method (i.e. using this russian workaround with certificates and whatnot) leave a trail or any kind? I mean, why would people do this if it did leave a trail? I've got to imagine it doesn't leave very much evidence. Or are people really just that greedy?

More apps should validate receipts (1)

bytestorm (1296659) | about 2 years ago | (#40640137)

Hasn't receipt validation been around about as long as in-app iOS purchases? You'd think more people would do it since there is money involved and it isn't particularly complicated.

Re:More apps should validate receipts (0)

Anonymous Coward | about 2 years ago | (#40640165)

yes and people still use strcpy().

When you're paying 20c an hr to some Indian outsourced dev firm to create your apps nobody observes secure programming practices .... gollly!

Re:More apps should validate receipts (1)

alen (225700) | about 2 years ago | (#40640205)

you must have not met the developers i've met over the years

I have to change 10 lines of code? oh no, my fingers are going to fall off. i'll just leave it like this

Re:More apps should validate receipts (2)

characterZer0 (138196) | about 2 years ago | (#40640259)

you must have not met the managers i've met over the years

I have to dedicate 10 minutes of a human resource? oh no, my bonus-driving stats are going to fall off. i'll just leave it like this

Re:More apps should validate receipts (5, Interesting)

billcopc (196330) | about 2 years ago | (#40640245)

Disclaimer: app developer here.

It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.

They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.

Re:More apps should validate receipts (0)

Anonymous Coward | about 2 years ago | (#40640521)

I really hope this shows the dev community how Apple and their AppStore containment process holds no real security value and exposes them for the frauds they are. The fact that this can be easily mitigated only exposes the blatant lack of reliability and lack of sophistication of Apple as a brand.

Re:More apps should validate receipts (0)

Anonymous Coward | about 2 years ago | (#40641007)

Call me when 100 copies of an app get posted to the market by people who took someone else's app, changed the name, and uploaded it as their own.

Re:More apps should validate receipts (1)

93 Escort Wagon (326346) | about 2 years ago | (#40641285)

The fact that this can be easily mitigated only exposes the blatant lack of reliability and lack of sophistication of Apple as a brand.

Did you not bother to read anything at all? Apple already provides a method for developers to verify the validity of in-app purchases - but some developers choose to not use it because it's easier not to.

This is a classic "lazy developer" problem, not an Apple problem.

Re:More apps should validate receipts (1)

broken_chaos (1188549) | about 2 years ago | (#40640647)

Even the verification could be spoofed if so desired.

Only if you either jailbreak the device or they're (stupidly) not using some sort of public key signing to verify authenticity.

Re:More apps should validate receipts (0)

Anonymous Coward | about 2 years ago | (#40641231)

Receipt validation is rather trivial to implement, actually:
https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html#//apple_ref/doc/uid/TP40008267-CH104-SW1

You are liable for purchases made this way... (1, Insightful)

bhlowe (1803290) | about 2 years ago | (#40640209)

I hope that Apple bills each user who tries this... It would not be that hard to show that the purchase was made and after a little sorting out, the credits will go to the developer.. I'm not sure what happens if you run up expenses on your account that you can't afford, but my guess is that your service may be interrupted... Most of us have day jobs where we toil away for a corporation or government. Some of us toil away on software projects so we can escape that grind. It isn't easy making a living selling software... Show a little decency and respect to the developers... The marginal cost of delivery has nothing to do with the morality of getting something that you're not entitled to have.

Details? (1)

dgatwood (11270) | about 2 years ago | (#40640219)

I'm not 100% clear on what this hack does. Are they:

  • Tricking an app into providing a bogus receipt to broken third-party servers that fail to properly validate store receipts, and thus provide content without a valid purchase,
  • Taking an existing pirated copy of an in-app purchase blob and tricking the app into thinking that it was provided by the store, or
  • Tricking an app into thinking that a receipt is valid by changing certificate trust policies, thus causing them to activate a feature that was built into the app to begin with?

Or some combination of the above?

Re:Details? (1)

falcon5768 (629591) | about 2 years ago | (#40640323)

The first one. Basically it only affects developers who don't use Apples in-app purchase receipt checking APIs. Anyone who coded properly is not affected which is probably why he chose to show it working on shitty facebook-like games and not anything from a decent developer.

Not the first to do it (1)

Anonymous Coward | about 2 years ago | (#40640253)

There is already a much more polished version of this where you just install a single app from a Cydia repo that does essentially the same thing. It's been out for months.

Re:Not the first to do it (4, Informative)

falcon5768 (629591) | about 2 years ago | (#40640339)

Its not that he was the first that shocked anyone, its that he pulled it off WITHOUT jailbreaking the phone using DNS redirects and user-installed certs

Article is missleading (4, Informative)

falcon5768 (629591) | about 2 years ago | (#40640299)

He didnt sidestep anything, he took advantage of bad developers who don't use Apples in-app receipt checking APIs.

Cheat codes come to modern games (3, Insightful)

GameboyRMH (1153867) | about 2 years ago | (#40640309)

Before cheat codes made the games more fun for lowsy players, but today they make them more fun for poor players!

/. Decline. (0)

Feyshtey (1523799) | about 2 years ago | (#40640351)

Has /. actually stooped so low has to post hacker how-to's? Really? When will it open the game cheats section, and the "used software" trade service...

Before giving your AppleID pass to a russian guy.. (0)

Anonymous Coward | about 2 years ago | (#40640383)

..you should think what are u doing.

Credentials? (1)

Paran (28208) | about 2 years ago | (#40640387)

I'm unsure what exactly gets sent with an in-app purchase, but I'd assume it has something to do with your App Store account. Can anyone tell me why I keep getting multiple errors when trust( "RussianHacker"); is called?

Re:Credentials? (1)

CowTipperGore (1081903) | about 2 years ago | (#40641517)

According to TFA, this is the data sent to the Russian servers when you use it to make a "purchase":

-restriction level of app
-id of app
-id of version
-guid of your idevice
-quantity of in-app purchase
-offer name of in-app purchase
-language you are using
-identifier of application
-version of application
-your locale

Lazy Developers using a default MKStoreKit (0)

Anonymous Coward | about 2 years ago | (#40640455)

http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html

Most dev's with this issue, basically never setup a server to store receipts for the transaction, which makes it impossible to restore purchases if you upgrade your phone, restore from a backup without the purchases, or verify that the transaction actually occurred if you say; got a phonecall in the middle of the transaction, lost internet connectivity, had a lossy 3g connection which lost vital packets of information, or the app just crashed. In all of those cases you would be out the money, and the developers wouldn't do anything in response. Contacting apple might result in a credit for the amount of the iAP purchase, or it might not.

Receipt validation is good for everyone. Hopefully this will FINALLY encourage Lazy developers to stop using the default setting for MKStoreKit and actually setup iAP purchases properly.

Man in the Middle... (5, Interesting)

Anonymous Coward | about 2 years ago | (#40640627)

In other news... Russian Hackers clear a lot of bank accounts...

Let me get this straight:
You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.

Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.

Re:Man in the Middle... (1)

Bob the Super Hamste (1152367) | about 2 years ago | (#40641037)

My kingdom for mod points today. Mod this AC up.

This completely compromises device security (1)

Anonymous Coward | about 2 years ago | (#40640675)

Uh, let me get this straight. The method posted involves installing a SomeGuy's (TM) trusted root certificate and using SomeGuy's (TM) DNS resolver?

This is an incredible security risk, since it completely and utterly subverts any SSL/TLS communication from that device.

If you need an example - what's to stop SomeGuy (TM) to sign a certificate for https://www.your-bank.example.com/, copy the bank website to a server under his (or hers) control, and have the DNS resolver point to the IP for his (or her) server instead of your actual bank?

Frankly, anyone who is misguided enough to do this deserves what's coming...

Re:This completely compromises device security (0)

Anonymous Coward | about 2 years ago | (#40641087)

They are aiming at the same people who use Installious then whine when some app comes with a payload of more than just the original .ipa file.

Same people who piss the hell out of the legit jailbreakers and the people part of the Cydia ecosystem.

So, if they get hung up by someone asking them to install a root cert and such in order to get more smurfberries without paying, nobody really is going to shed a tear.

but then after that... (1)

slashmydots (2189826) | about 2 years ago | (#40640755)

Apple pretty much ties your DNA sequence and entire family history back to the 1st century to your MAC address and Apple store account and the files themselves are still coming from their servers so I don't think it'd take real long for anyone doing this to get arrested.

On The "Russian Hacker Sidesteps Apple iOS In-App" (0)

Anonymous Coward | about 2 years ago | (#40640909)

I would be cautious on this. It smells like a "honey-pot" kind of situation. Apple is known for tracking its users purchases, usage and etc. They may be looking for those who would actually commit this - a new bait and switch or snatch and grab. I recommend researching this further and seeing what the Russian Hacker's process was and following up with them on it.

Shocking I Tell You! (1)

rabtech (223758) | about 2 years ago | (#40641061)

Oh so if I install this random Root Certificate Authority on my machine, thus granting some random hackers the ability to perform MITM attacks against all my SSL sessions, they can perform a MITM attack on in-app purchase transactions?

Shocking, simply shocking.

FYI: this exists so enterprise customers can install their root CA certs so their internal certificates will be considered valid.

At its core, this is the same problem we have with SSL in general. CAs are a single point of failure and one rogue certificate or one hacked CA breaks the entire chain of trust.

install a Russian provided CA? (0)

Anonymous Coward | about 2 years ago | (#40641621)

what could possibly be the risk with that!

since some of them make use of Apple's method for (1)

mapkinase (958129) | about 2 years ago | (#40641759)

>since some of them make use of Apple's method for validating receipts.

And now I know who is the employer of that Russian developer

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...