The in-app purchase (IAP) system allows developers to sell additional services from inside an app usually provided free or at low cost. The process works by the app communicating via iOS with Apple servers. Apple first verifies the user, charges the user’s iTunes account, and then informs the app that the ‘purchase’ has either succeeded or failed.
But Russian developer Alexey Borodin has set up a remarkably simple and classic man-in-the-middle attack to by-pass the official system. His method is to install custom certificates on the user’s device and to divert the IAP purchases to his own server. Here he uses a single genuine IAP receipt for the app in question (one that he either purchased himself or has had donated) and returns it to the app. The app is fooled into thinking the purchase has successfully been completed, and the ‘purchased’ services are made available to the user – but no money has been involved and neither the the app developer nor Apple gets paid.
The Next Web spoke to Borodin last Friday. He explained his reasons. “I work alone. There was an idea. An angry idea due to CSR racing,” he said. “Now the idea is reality.” TNW adds, “He also says that he is no longer in control of the In-Appstore site, and will be deleting any information that he has about the site from his computer.” The site is said to be in the hands of an unnamed third party because Borodin says he does “not want to be in jail =).”
Early this morning, however, the site was operational. The notice, “Tomorrow service will be shut down, if i can not find $50 for bill for hosting for next month (it's already unpaid for two days). This is technology preview, and i won't pay for this,” has been crossed out and a new note added: “Thanks to Donators. Service will be available at least for one month. If apple can't fix it.”
Infosecurity strongly recommends that users do not make use of this site, or any similar ‘service’ that may appear in the future. Firstly, on moral grounds, this is theft from both the app developer and Apple. Secondly, on security grounds, the method requires the user to hand over his iTunes credentials. While this purports to be a man-in-the-middle attack against Apple, it could just as easily be a man-in-the-middle attack against the user.