Apple Plays Cat And Mouse With In-App Purchase Hacker

from the what-if-I-change-this-setting dept

Piracy has been considered the bane of game developers for as long as games have existed. Over the years, many methods of fighting piracy or turning those who play for free into paying customers have come and gone. Some methods focused deterring pirates while others instead focused on maximizing profits. One of these profit maximizing endeavors, which recently gained traction with game developers, is the use of micro-transactions -- or as they are often called in the mobile world, "in-app purchases." This method of revenue generation was quickly accepted by many game developers, as it provided a way to distribute the game for free to as many people as possible with the prospect that enough of those free users would then buy in-game items with real money.

Because of this model of doing business, mobile phone producers (mainly Apple) have developed APIs that allow game developers to easily tie their in-game stores to Apple's payment processing and authentication services. While this method is not without its issues, it has been accepted as a relatively secure method of monetizing a game. That is, until one hacker named Alexey V. Borodin figured out a relatively simple way to spoof the purchases of in game items. Using this exploit, Alexey claims that as many as 30,000 transactions have been made since instructions went live.

In a follow up article, The Next Web reports that Apple has begun efforts to prevent the spread of this exploit. These efforts include blocking the IP address of the server Alexey was using, requesting the server be taken down by the Russian hosting company which owned it, sending take down notices to Youtube over videos providing instructions, and getting PayPal involved in shutting down the account Alexey was using to generate donations (a whopping $6.78 was raised according to that report). Apple also included the following statement:
The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.
Even with all these attempts at taking down Alexey's service, it still remains up and running for all willing iPhone users to take advantage of; that is, if those users are willing to risk their privacy and iTunes accounts to use it, something Alexey claims is not an issue.

While this exploit is very troubling on many levels, it really highlights the folly of relying on security through obscurity. Apple had the chance to secure its APIs long before this exploit happened. It has an opportunity to do so now. In fact, Alexy states that he is more than willing to talk about the issue with Apple. Unfortunately, Apple has not contacted him. While I can understand Apple's unwillingness to work directly with someone who openly exploits its services, it would be prudent to use all available options to end this exploit.

One would hope that game developers who feel threatened by this exploit will pressure Apple to fix the security issues in its APIs as well as provide some kind of training in best practices in securing in-app purchases. Of course game developers should also be doing their part to use all available tools to protect the integrity of their games as well -- something all software developers should do from the beginning.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward With A Unique Writing Style, 20 Jul 2012 @ 9:52am

    Re: Re: Re: Re: Re: Steam

    I don't understand what you're saying. So the links I provided have no bearing on what I stated or what you stated, is that correct?

    K. Let me put this really simply. You stated Apple makes sure Apple IDs and credit cards are secure. I said basically, "Nuh uh, and there's proof." Which I then presented. You threw a shit fit. You/Sad Mac then went off your rails a bit more.

    So you interpreted "entries" to mean "comments", despite the fact that I said this (?):

    "In fact, let's just play a game. Let's Google (gasp!) the words "apple account hacked" and then let's see how recent some of the things that will show up are, shall we?

    Hmm. That's curious. The first 6 entries all have dates that are within the past 2 months and it's worth noting that the first 6 entries ALL are being discussed on Apple discussion boards."

    I don't know how you interpreted it incorrectly, but again, that's not my problem. Either way, you stated something that wasn't factually true. I then stated something to correct you, presented proof and you flipped out. Like I said, don't like it... that's fine, but don't get upset when people correct you because that's how life is. People will tell you things you don't want to hear. And stop taking things so personally. I'll correct anyone and I myself have been corrected on this. I usually even say, "Hey, if I'm off on something feel free to correct me." I then thank people who do correct me, I do not flip out like you did.

    Now that this has all been cleared up, I look forward to doing this again. But try out what I said, stop stating things as fact before you have all relevant information at hand (and your personal experience, as great and important as it can be, DOES NOT translate to making what you've experience an automatic fact for the rest of the world). That's your problem and I've pointed it out before. I'm not trying to be mean or a jerk.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.