How Apple is fighting iOS in-app purchase hack

On Friday, Apple issued a brief statement that it was looking into a published workaround that lets iOS users get in-app purchase content for free. It doesn’t look like Apple has found a true solution yet. But it’s certainly been busy this weekend, including taking down the original demonstration video on YouTube and getting PayPal to block donations.

The workaround was published last week by Alexey Borodin, a Russian hacker who demonstrated in a (now inaccessible) video on YouTube that with the installation of two certificates and a tweak to an iPhone’s Wi-Fi settings, he could bypass the step that requires payment for extra content within some iOS apps. (Macworld has more detail on how he’s doing it.)

By Friday afternoon, an Apple representative told us the company was “investigating.”

Here’s what Apple has done since then, according to The Next Web:

Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.

It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service.

What Apple hasn’t done? Actually gotten in touch with Borodin, according to the report.

And Borodin isn’t backing down, he says he has responded to Apple’s manuevers by moving his server to another (unnamed country) and is using a different PayPal account to gather donations for his project. So, while Apple is attempting to contain this security breach, developers can’t rest easy yet — the problem has not yet been solved.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

  • Connected world: the consumer technology revolution
  • Controversy, courtrooms and the cloud in Q1
  • Survey: the next wave of enterprise mobility



GigaOM