With the on-going development of iOS 6, the production of the next generation iPhone and the rumored smaller iPad, as well as the imminent release of OS X Mountain Lion, Apple has been really scrutinized lately be a Russian researcher who found a way to bypass the in-app purchase process in apps available via the official App Store. The bypass procedure, involving an intermediary server and two iPhone certificates undoubtedly caused an internal headache at Apple and prompted almost immediate action.
Tim Cook and his executive team have acted promptly to delegate the issue to a specific team within Apple, something that has resulted in the company publishing a new online support page that covers in-app purchase receipt validation within iOS apps. The document begins by giving a small amount of background into the aforementioned vulnerability, a discovery that relates to in-app purchase receipts, which in turn allows DNS information to be altered and routes the validation requests to an external server.
The Cupertino giants have recommended that the developers follow the new guidelines strictly so that they don’t fall prey to the whole fiasco. The information given in the document confirms apps that connect directly to the App Store server to perform validation are affected by the issue and could be vulnerable to the attack, with four bullet points being given to address the issue.
The fact that Apple have responded to this issue in a timely fashion will provide some comfort to developers who utilize the in-app purchase mechanism to monetize their software, but the interim resolution doesn’t exactly paint an ideal picture. As part of the immediate solution, Apple has granted permission for developers to access private APIs in their app, something that is normally frowned upon in usual circumstances. With the vulnerability affecting iOS 5.1 and below, it should provide some comfort to know that Apple has also announced a permanent resolution which will be a part of the final release of iOS 6, but until then, following the best practices in the new online document should suffice.
With an immediate and long-term resolution on the table, Apple has managed to keep some of the wolves at bay. It will be interesting to see if and how Apple decides to compensate developers who have fallen victim to the vulnerability and lost revenue because of it.