Apple has confirmed exactly how people are exploiting in-app purchases to make money illegally, The Verge reports. It's also suggested some ways to stop them doing so, in a document for app developers.
So read on if you thought Android was the only mobile OS plagued by scams.
The problem concerns in-app purchases. The bad guys have found a way to pretend to be the App Store server, letting people make in-app purchases without actually paying, screwing Apple and the app makers out of their earnings.
The problem is in iOS 5.1 and earlier, but Apple has promised it'll be fixed in iOS 6.
"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device," reads the document.
"An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server.
"When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid."
So what can developers do? Apple suggests they validate purchases from their own servers instead of from the device. It also has a few fixes for developers who don't use their own servers.
These are just temporary solutions, however. Apple says iOS 6 will right this once and for all.
Earlier this month, the usually Fort Knox-like App Store was hit by its first malware app. Called 'Find and Call', it secretly uploaded your contacts to a remote server. A rogue server also caused some bona fide apps like Instapaper to malfunction, rendering them unusable. Malware and dodgy apps are nothing new on the Google Play store, which has no verification process. But Apple prides itself on its stringent security.
Has the Cupertino company's reputation been besmirched? Let me know in the comments or on Facebook.
Android App 
RSS Feeds 
iPhone App 
Newsletters 
Comments 2
Add your comment
anonymous 21 July, 2012 11:59
Apple's products have never been perfect nor free of vulnerabilties. Indeed, "Jailbreaking" is prima facie evidence of this. However this "first malware" claim has been blown way out of proportion.
Unlike Android, the perpetrating company of this "first malware" was immediately identified, and even released an apology that it was an error that was being corrected. Sincere or not, I don't recall such mea culpas for even a tiny fraction of Android's over 25,000 identified threats to date. It's more like Facebook's cross-platform app that no media dared call "malware", that injected email addresses into people's address books and diverted email responses to a mailbox on Facebook's servers that most didn't even know existed.
Likewise for the in-app purchasing flaw, while it is definitely real, it's not a threat to unsuspecting iOS users. It's a software "crack" that requires effort to install, and an intent to defraud, by each iOS user, before it becomes an issue to them.
anonymous 20 December, 2012 21:39
I let my 3 year old son play on the ipad and he racked up a huge bill on In App Purchases that I didnt no till i looked at my bank statements. This is a bigger problem than you think my son was playing Clay jam and racked up the bill so be careful.