A Russian hack on the AppStore
A Russian programmer has found a way to circumvent the security system of the Apple AppStore to allow users to acquire extras for online games without buying them. Alexei Borodin, 21, placed a video describing how to hack the AppStore on YouTube last week. Apple has been investigating the hacking of its system ever since, but it has not managed to solve the problem.
The developers of applications for smart phones and tablet PCs often sell various “soft goods” (for example, suits of armor) to their users that help players advance to the next levels or enhance their game experience. Borodin has developed a way that users can access these goods for free by installing special certificates on their mobile devices and changing the settings of Wi-Fi activation. Borodin’s system is especially appealing for users since they do not need to hack into their iPhone or iPad devices to achieve the desired goal.
Alexander Matrosov, director of the Eset Virus Research Center, explained how the hack works. According to Matrosov, when an in-app purchase is made, the application sends a request to the Apple AppStore and the store generates a certain check confirming this purchase and sends it to the developer’s website. After the confirmation, the AppStore approves the product purchase and its download from the developer’s server. Matrosov said that Borodin found out that data exchanged by the AppStore’s and developer’s servers are sent in an unprotected format, and therefore that it is possible to counterfeit them.
The hack was uncovered on July 13 after a popular website, 9 to 5 Mac, wrote about it. By that time, users had made over 30,000 free purchases, Borodin told The Next Web. Borodin was motivated to invent his hacking system after his frustration with developers of the CSR Racing game and their policy on purchases of soft goods.
Borodin told Russian daily Vedomosti that he regards this hacking as legal: “Purchases inside the applications are not subject to licensing. You pay for nothing — you can install the Cut the Rope game, buy many products worth of $200, delete it, and after re-installing it have nothing in the end. The developer is responsible for nothing,” Borodin said. He added that no representatives of Apple have contacted him, although the developers of applications for the AppStore tried to communicate with him. “Some of them write that I am a thief, whereas others are delighted with my activities and offer a job,” Borodin said. He claims that he does not know how many times his service has been used — he switched off statistics on July 13.
Mikhail Lyalin, director general of software development firm Zeptolab, said that his company, which is the developer of Cut the Rope, has found a way to lock the free distribution of soft goods on its own. Zeptolab does not see any point in going after the players that received free goods using Borodin’s service since, according to Lyalin’s estimates, few people who play the game actually used it. The hacking event has also not affected popular games made by Russian Game Insight, according to company founder Alisa Chumachenko.
It has become possible to hack into this system primarily because Apple does not in any way encrypt user data for making purchases inside its applications, said Kirill Leonov, a representative of the Doctor Web antivirus company. To enhance security, Apple should have also closed some changes in the Internet access settings, he said. According to Leonov, this in-app hacking is significant because it is the first phenomenon of its kind in the AppStore, but it has affected a relatively small number of applications.
“The security of the AppStore is extremely important to us and to the developers’ society,” Apple representative Natalie Harrison told The Los Angeles Times.
First published in Vedomosti.ru.