New In-App Purchases Hack Discovered In iOS Apps, Works Even On iOS 9
They may be hugely popular with developers and universally hated by users, but there is little doubt that the in-app purchase model is here to stay. With no sign of going away just yet, especially in the gaming arena on mobile devices, in-app purchases are often used to give developers a long running revenue stream by getting users to buy in-game currency and other consumables using real money. Unfortunately, a new report claims that the world of in-app purchase is far from secure.
Developer DigiDNA, maker of the new iMazing has shared information which appears to show that it is possible to take an iPhone app and then effectively steal in-app content.
The way it works is to modify a game and then restore it using the iMazing app, with the company using Angry Birds 2 as an example. Having used its own tool, DigiDNA was able to gain 999,999,999 gems, something that would have cost $10,000 were they to be acquired using the legitimate in-app purchase system. This hack seems to be working even on iOS 9.
Our new app state backup/restore feature removes that friction: the app’s state can be exported as a .imazingapp file, which can be restored to any iOS 9 device in barely a minute.
While the iMazing app wasn’t built for this use – its aim is to make it easier to backup game data etc – the app does seem particularly suited to the job of making it possible to steal in-app content. DigiDNA is quick to point out that the issue isn’t actually Apple’s but rather the developers of games, with the modifications being made actually taking advantage of poorly made in-app purchase handling code.
The vulnerability is not in iOS, but in the affected applications’ IAP handling code. Purchased items should be stored in the keychain, or at least encrypted.
DigiDNA is so intent that its software not be used for this purpose that it is making a song and dance about the problem now in an attempt to try and make sure developers are forewarned, giving them chance to put right the problems that iMazing has highlighted.