Russian Hacker Circumvents Apple's In-App Purchase

Russian Hacker Circumvents Apple's In-App Purchase

Recently, a Russian hacker found a method to fool in-app purchasing in iOS apps so that users can get in-app-purchase content for free.

A Russian developer named ZonD80 has recently posted a video on Youtube (which is now taken down for copyright by Apple Inc.) demonstrating how he is able to get in-app purchases for free. On the video, the developer says that there are 3 steps to get it.

  1. installation of CA certificate
  2. installation of certificate from the website
  3. change of DNS record in Wi-Fi settings

Upon following the steps and when installing a in-app purchase,  a message will be shown asking to like the site when installing in-app purchases rather than Apple’s in-app purchasing service.

Though this sounds like a jailbreak method, it is not a jailbreak. The method found uses the DNS settings on the iOS device to point to a different, potentially hacked, DNS server, that allows free in-app purchases than your ISP/3rd party’s (OpenDNS/Google/etc) DNS server; thus not requiring to jailbreak the devices. The certificates are used to send secure data over the internet. Reports are showing that the hacked DNS server works on iOS devices running version 3.0 to 6.0.

Though this allows users to get in-app purchases for free, we do not recommend using doing this. Not to also mention it is a big security hole for Apple, it is also bad for developers since the developers lose their revenue. While most apps that have in app purchasing are able to be circumvented, some apps that do not use Apple in-app purchasing servers to verify purchases will not work. As of right now, Apple has said

The security of the App Store is incredibly important to us and the developer community,” Apple representative Natalie Harrison, told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.

As a reminder, we do not condone pirating software. Since this is a major security breach for Apple, we had to warn iOS developers.