The iOS in-app purchase system has been hacked, and Apple isn’t sure what to do about it.
Last Friday Apple’s iOS store was faced with its worst nightmare: a hacker who’d discovered a way to bypass its in-app purchasing system. The hacker in question, Russian Alexey Borodin, was allowing Apple’s customers to download premium app store content for free. Although Apple took steps, forcing Borodin to change his IP and abandon PayPal as a means of getting payment for his service, the hacker is still out there and Apple currently has no way to cut him off.
Borodin’s hack allows users to bypass the in-app purchase system used by so-called “free” apps, so that they can download app content while avoiding the iOS payment system.”Why must pay for content [sic],” Borodin argued in a video release since pulled from YouTube, “I think, you must not.” In a separate message to Macworld, Borodin claimed to be a hobbyist who has a grudge against developers who promote free games that then nickel-and-dime the customer. Though Borodin was using PayPal as a means of collecting donations, he told Macworld he’s just as happy for people to use it free of charge.
The hack means that payments which would normally be authorized by the Apple store now get their content via Russian servers. This system doesn’t work on all in-app purchases; those authorized by the developer, not by Apple, are secure against the Borodin hack. However many developers validate via Apple because to do it themselves they would need to run their own server, and that can get both complicated and expensive.
Apple currently has no means of defending itself against Borodin, so the 30% cut that developers have to give them to use the service isn’t buying developers the security they need. Even Borodin’s customers have no way of defending against the hack, since in order to make use of Borodin’s service they have to give his servers access to their Apple ID and password. If Borodin is the hobbyist he claims to be perhaps there is no risk; if not, Apple isn’t the only one who may find themselves out of pocket this time out.
Apple has yet to say whether or not developers affected by this hack will be compensated for their losses.