What the in-app purchase hack means for app makers

By Marco Tabini, Macworld |  Software, App Store, Apple

Leaving aside the cost of setting up your own server, however, it is unfortunately easy to implement even this kind of validation in a way that leaves an app greatly vulnerable, because nothing prevents a hacker from pulling the same kind of attack on the developers servers and foiling the apps secondary validation in exactly the same way.

A better approach consists of using mechanisms that rely on asymmetric encryption, a technique that requires two passwords. When the first password is used to encrypt the data, only the second can be used to decrypt it, and vice-versa; if one of the two passwords is stored on the developers server and is never transmitted between the two, a man-in-the-middle attack would be very hard to pull off, particularly if each transaction is crafted so that it is only valid for a very short period of time.

This is not an impossible task, but it is a much harder one that needs to be performed for each individual app. The protection mechanism is also relatively simple to implement, if the developer has the necessary know-how.

Oh, so broken

On the surface, then, it looks like this is a problem for the developers to solve; after all, Apple makes no guarantees that its IAP verification process is to be trusted, and explicitly warns developers that they should implement their own validation systemnot to mention that the hack in question only succeeds because the users essentially poke a giant security hole in their devices.

To me, however, that seems a bit unreasonable. Despite the fact that Hollywood appears to have convinced the majority of the worlds population that all developers need to do in order to produce working apps is smash their pudgy hands on the Big Green Button (the red one is reserved for emergencies only), programming is a highly specialized profession. Thus, an independent developer who knows how to create a beautiful and engaging game does not necessarily have sufficient experience to understand the complexities of data cryptography.

To that, we must add the cost of setting up your own server. It may not take a large amount of money, but a small amount of money is all that many developers make; servers must be maintained, and server-side code must be writtenall activities that take time and cash.

Besides, the entire premise of the App Store is that the whole app distribution process is delegated to Apple precisely so that developers can focus on what they do best: Write great apps. Apples 30 percent cut becomes much harder to justify if, in addition to writing great software, developers also have to worry about being defrauded.

What Apple could do


Originally published on Macworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SoftwareWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question