Apple unveils App Store IAP hack fix

Apple has responded to the discovery of a way of circumventing the in-app purchase validation process for iOS by unveiling a fix designed to curb the practice.

The firm has added a series of 'best practices' to its devloper library and released two of its private APIs, which when implemented ensure apps are not vulnerable to the attack.

Playing payments

The exploit, revealed by Russian hacker Alexey V. Borodin, allows users to download in-game content without charge by bypassing the App Store's server.

Receipt validation requests are instead redirected to a proxy server maintained by Borodin.

As a result, The Guardian reports that more than 8.4 million fake in-app purchases have been made to date.

Game over

Apple claims that developers that implement said APIs should know longer be vulnerable to the technique, though the security breach will not be permanently plugged until the launch of iOS 6.

"By examining Apple's statement about in-app purchases in iOS 6, I can say, that currently game is over," said Borodin of Apple's response.

"Currently we have no way to bypass updated APIs. It's a good news for everyone - we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out."

[source: Apple]