Today we received some disturbing tips that a Russian developer has published a method of obtaining in-app purchases from iOS apps for free. First noticed by Russian blog i-ekb.ru, the “in-app proxy”method does not require a jailbreak, can be completed by novices in three steps using just an iOS device, and allows users to install in-app content for free. The hack also works on all devices running iOS 3.0 to 6.0 We have confirmed the method works (at least temporarily), and the published instructions are starting to get attention, so we decided to publish this story as a warning to the Apple developer community.
The hack appears to have come from Russian developer ZonD80 who posted the above video demonstration. ZonD80 also appears to run a website called In-AppStore.com where donations are being accepted to support the development of the project and help keep servers up and running. The developer explained the three steps of the hack, which include the installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in wi-fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog. Perhaps just as troubling as the fact the hack is being used to steal in-app purchase content from who knows how many developers, is the developer’s terms of service.