Los desarrolladores quieren más seguridad en sus aplicaciones de pago
Not because of its numerous sales but because of a bug discovered in the Apple API that could have allowed more than 30,000 fake sales.
Alexey Borodin has managed to make purchases without any charges to our account by installing some certificates and changing the phone’s DNS.
Here’s how it works. Borodin with the change of DNS and certificate installation was able to intercept in-app purchases on their server instead of Apple’s. This server would return a purchase certificate to the application making the app think that the payment had been made .
In addition, in case the applications ask to verify the purchase certificate again, the server will intercept the request again and answer yes, which is valid.
As you can see, bad news for many developers who saw in-app shopping as a way to offer free applications and make a profit afterwards.
Apple has made a statement commenting on the importance of App Store security to them and their developer community . They also claim that they are investigating the issue but that the method does not work in all applications. Likewise, although this hack can be performed to get purchases without paying, it is not recommended. Users would be sending information about their iTunes Store accounts to Russian servers.
It is a serious problem for users who go out and make purchases without paying because they will be giving out personal data but more importantly, their card numbers associated with their iTunes account.
We’ll see which methods developers apply to avoid these losses or whether they’ll have to wait for Apple to fix their API. The least bad thing is that maintaining a server for such functions is expensive so anyone who wants to imitate Borodin will not have it so easy.