Apple to fix in-app purchase vulnerability in iOS 6, creates support document for developers
Responding to a much-publicised hack which allows users to obtain iOS in-app purchases for free, Apple has created a new support document outlining how developers can protect their apps from the exploit. The document also reveals that iOS 6 will address the vulnerability.
The exploit, which was created by Russian hacker Alexey Borodin, involves installing bogus certificates on devices running iOS 5.1 and earlier, and altering DNS settings. Once done, apps are tricked into validating purchases with a third-party server pretending to be one of Apple’s App Store servers.
Until iOS 6 is released later this year, Apple is advising developers to follow best practices and send in-app purchase receipts to their own server, and to have their sever perform validation with the App Store server.
In related news, The Next Web reports that Borodin has also come up with a similar hack for Mac apps. With OS X Mountain Lion due for release before the end of this month, Apple don’t have long to find a fix, though of course they could address it in a future security update.