Apple thinks it has a solution to the Borodin App Store hack, but it’s not foolproof yet.
“Currently game is over,” Russian hacker Alexey Borodin admitted on his blog yesterday, as he contemplated Apple’s latest attempt to block his hack. Borodin hit the news a short while ago when his scheme to bypass the iOS store’s microtransaction process turned free-to-play games like Angry Birds into free games. Now Apple has a counter to Borodin’s scheme, though it will take an update to iOS6 to make the counter foolproof.
No doubt Borodin’s feeling a little depressed, as Apple’s response is fairly comprehensive. At the moment it relies on users updating their apps regularly, and once they do the fake purchases implemented via Borodin’s servers will be wiped from the users’ systems. In theory this can be averted if the user never updates, which is why the counter isn’t entirely effective yet. However Apple intends to shut this loophole down for good in iOS6, which means that Borodin’s hack is living on borrowed time.
Apple’s response to concerned developers has been to push the responsibility for checking receipts on to them. Apple’s “best practice” for validating receipts is to “send the receipt to your server, and have your server perform the validation with the App Store server.” This is something that developers haven’t all been keen to do, since it requires infrastructure investment on their part that can be more than they can afford.
Borodin isn’t defeated yet. The iOS6 update isn’t due until autumn, and according to him there may also be a way to spoof Apple’s Newsstand app. This app – used by newspapers like the New York Times – allows users to access daily magazine and news content, usually for a fee. Though Borodin has yet to prove it, he’s hinted that he’s found a way around the fee part of the process; now there’s a happy little nightmare for the cash-strapped New York Times to chew over.
Apple still hasn’t said whether or not developers affected by Borodin’s hack will be compensated for their losses.