Apple Plays Cat And Mouse With In-App Purchase Hacker

from the what-if-I-change-this-setting dept

Piracy has been considered the bane of game developers for as long as games have existed. Over the years, many methods of fighting piracy or turning those who play for free into paying customers have come and gone. Some methods focused deterring pirates while others instead focused on maximizing profits. One of these profit maximizing endeavors, which recently gained traction with game developers, is the use of micro-transactions -- or as they are often called in the mobile world, "in-app purchases." This method of revenue generation was quickly accepted by many game developers, as it provided a way to distribute the game for free to as many people as possible with the prospect that enough of those free users would then buy in-game items with real money.

Because of this model of doing business, mobile phone producers (mainly Apple) have developed APIs that allow game developers to easily tie their in-game stores to Apple's payment processing and authentication services. While this method is not without its issues, it has been accepted as a relatively secure method of monetizing a game. That is, until one hacker named Alexey V. Borodin figured out a relatively simple way to spoof the purchases of in game items. Using this exploit, Alexey claims that as many as 30,000 transactions have been made since instructions went live.

In a follow up article, The Next Web reports that Apple has begun efforts to prevent the spread of this exploit. These efforts include blocking the IP address of the server Alexey was using, requesting the server be taken down by the Russian hosting company which owned it, sending take down notices to Youtube over videos providing instructions, and getting PayPal involved in shutting down the account Alexey was using to generate donations (a whopping $6.78 was raised according to that report). Apple also included the following statement:
The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.
Even with all these attempts at taking down Alexey's service, it still remains up and running for all willing iPhone users to take advantage of; that is, if those users are willing to risk their privacy and iTunes accounts to use it, something Alexey claims is not an issue.

While this exploit is very troubling on many levels, it really highlights the folly of relying on security through obscurity. Apple had the chance to secure its APIs long before this exploit happened. It has an opportunity to do so now. In fact, Alexy states that he is more than willing to talk about the issue with Apple. Unfortunately, Apple has not contacted him. While I can understand Apple's unwillingness to work directly with someone who openly exploits its services, it would be prudent to use all available options to end this exploit.

One would hope that game developers who feel threatened by this exploit will pressure Apple to fix the security issues in its APIs as well as provide some kind of training in best practices in securing in-app purchases. Of course game developers should also be doing their part to use all available tools to protect the integrity of their games as well -- something all software developers should do from the beginning.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward With A Unique Writing Style, 20 Jul 2012 @ 8:26am

    Re: Re: Re: Steam

    I don't take it as a personal attack, I just find it odd how quick you are to critique other things like Android (and usually with incorrect information) and then you say things about Apple that aren't necessarily correct.

    I did however point out that Apple is not necessarily securing people's Apple IDs or credit card information as well as you might believe or as well as you might try and lead others to believe. I then stated that this is something that has been going on for years now, there are tons and tons of discussion boards filled with people who have had issues arise where someone had hacked their account, and despite this going on for years Apple has still done nothing about it for the most part.

    Also, wtf. Someone's angry, and it isn't me. Perhaps you should take the time to cool off and realize that people are going to take apart piece by piece things you say when you say things that aren't correct. Is it my fault you tend to state things that aren't correct? No. It is your fault. It is however my duty to correct your incorrect statements, as to prevent others from believing something that is false. That's what we should all do though, correct false statements. If you have a problem with being corrected then perhaps you should go out of your way to make sure you have all the information needed before you say something.

    And it might seem like a personal attack on you me doing this, but that's because you're one of the few stating things on Apple and Android articles on a regular basis and doing so with not so up to date or accurate information. (See previous point about getting all the facts and things correct before clicking "Submit".)

    And no, I am very much not a troll. If I was a troll I'd just write, "You're wrong, iSheep. Apple sucks." Then I'd disappear from the comments. I don't do that though.

    Seriously, don't like being corrected then perhaps you should stop posting or at least stop posting incorrect things. But by all means, be happy all you want. But as someone who knows plenty of people who use Apple products, I don't want them believing statements made by guys like you saying, "Apple and Apple products are SOOOOO secure and nothing bad could ever breach Apple's walled gardens." Shit like that leads to more work for guys like me. And I for one won't have it.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.