Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: In-App Purchase Vulnerability to Be Fixed in iOS 6; Apple Offers Best Practices to Developers  (Read 381 times)
HCK
Global Moderator
Hero Member
*****
Posts: 79425
« on: July 21, 2012, 03:00:31 am »
In-App Purchase Vulnerability to Be Fixed in iOS 6; Apple Offers Best Practices to Developers
      


      As noticed by 9to5Mac, Apple has offered developers a series of best practices to prevent the In-App Purchase vulnerability, as well as promising a full fix in iOS 6. The advisement was sent to developers in an email today.


CNET was issued this statement by Apple:"We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases," Apple spokesperson Tom Neumayr told CNET. "This will also be addressed with iOS 6."Apple issued this note to developers on the iOS Developer webpage, along with a series of suggestions to help verify that in-app purchases are legitimate:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.News of the in-app purchase hack broke a week ago, and Apple has made several attempts to prevent users using the hack. It allows users to avoid paying for in-app purchases by using a third-party server as a "man-in-the-middle" attack. Apple now includes the UDID identifier in in-app purchase receipts in an attempt to increase the security of purchases.


Recent Mac and iOS Blog Stories
• Drobo Releases Pricing for Thunderbolt Storage Devices, Preorders Start Monday
• Other World Computing Releases Aftermarket SSD Upgrades for 2012 MacBook Air
• iTunes Match Goes Live in Hungary and Poland
• Subatomic Studios' 'Fieldrunners 2' Launches on App Store
• Sprint Won't Charge Customers for FaceTime Over Cellular


 

      

http://www.macrumors.com/2012/07/20/in-app-purchase-vulnerability-to-be-fixed-in-ios-6-apple-offers-best-practices-to-developers/
      
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: