Developer Marco Tabini told Macworld that Apple's approach to receipt validation is flawed, and that thus the company itself is at fault for this exploit's existence. (Disclosure: Tabini is an occasional Macworld contributor, and developed an app with me.)
The exploit, Tabini explained, is not due to developer incompetence. "Merely validating a receipt against Apple is not enough," he said. Tabini said that processes like Apple's should use a shared secret--sort of a secret code known only to the app and to Apple: "If Apple provided a shared secret as part of the IAP process, using that secret in conjunction with a random salt would prove to developers that responses from Apple were genuine when they validated receipts."
Apple did not respond to multiple requests for comment.
So Borodin's hack works with purchases validated solely on iOS, because those purchases look only at the fake Apple server addresses the hack provides. Apps that instead rely on their own Web servers to validate receipts, of course, talk to the genuine Apple servers--which in turn respond that the receipts are invalid, since Apple didn't really generate them. But Borodin says that the next phase of his hack will go one step further: "The future is to cache developers' server responses," he said, which would mean that even apps that validate on the Web would be at risk.
Tabini points out, however, that if developers use their own secure measures--shared secrets, secure signing, and the like--it would be an order of magnitude more work for Borodin to hack their apps' server responses."
In short, Borodin's hack is a classic "man in the middle" attack, where the malicious code (or lucrative code, depending upon your perspective) sits between you and the real server you're meant to hit.
Implications
The fact that Borodin's hack exploits an apparent weakness with Apple's system is unlikely to sit well with app makers. "The whole point of the [in-app purchase] system and the App Store is that you shouldn't have to worry about the system," Tabini said. "Otherwise, what are you giving Apple its 30 percent for?"
More to the point, app makers are more likely to rely on Apple's receipt validation approach than building their own solution. "I'm willing to bet that 99 percent of all developers validate on iOS because it's a lot of extra work to setup a server that does the validation," developer Craig Hockenberry told Macworld.
