The fix for now, according to Apple, is to follow the company’s best practices guidelines and to use receipt validation where developer’s servers verify through the App Store whether or not the receipt is legit.
The developer behind the hack stated on In-AppStore.com,
By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out.
His hack allowed iOS users to make in-app purchases without paying by using his servers instead of Apple’s to process the transactions. By convincing users to install two specially crafted digital certificates on their iOS devices, he has been able to bypass Apple’s payment process.
The downside to the service is that app developers aren’t able to collect money they’re rightly owed when users steal their content. End users are also potentially susceptible to man-in-the-middle attacks where the developer behind the attack could potentially spoof any website URL with his own DNS servers, and he can collect identifying information about users that take advantage of his hack.
Apple’s first attempt to block the theft of in-app purchases failed, although it looks like — at least for now — the company has a system in place that will protect developer’s from in-app purchase theft.
The hack developer said he plans to leave the payment bypass system in place until iOS 6 is released, and is actively working on developing a similar hack for the Mac App Store.
[Some images courtesty Shutterstock]