Did you miss a session from GamesBeat Summit 2022? All sessions are available to stream now. Learn more

ZonD80 in-app purchases hack

Apple is closing in on a Russian hacker giving people a way to steal in-app purchases. But while the company has issued take down notices and blocked his server access, he still has found a way to stay in business.

According to The Next Web, Apple has sent out a number of take-down requests for content associated with Alexey V. Borodin, known by his YouTube account name ZonD80. The issue arose Friday when the YouTube video surfaced showing iOS users how to avoid paying for in-app purchases. The hack worked on iOS versions 3.0 and up, on any of the iOS devices that could run those versions. In the video he used an iPhone 4S running iOS 6. Borodin explained that you only need to install two security certificates as well as change your DNS settings and you’d be set to steal in-app purchases.

Apple is now obviously targeting Borodin, and recently requested the Internet service provider shut down his website In-App.com, which served as a way for him to solicit donations. Apple blocked Borodin’s IP address so that he can no longer access Apple’s servers as well.

Apple also targeted his YouTube video, which explains the hack and how to install it. The video now says, “‘In-App.com Get in-app…’ This video is no longer available due to a copyright claim by Apple, Inc.” when you try to play it. However, Borodin has published a second video titled, “Reply to Apple. In-app purchases are still free and require no jailbreak.”

In the video, Borodin takes a slight poke at Apple. When you go to “buy” (read: steal) and in-app purchase, a push notification (see above image) used to say, “If you like in-app proxy click like button!” Now it says, “You want to love Apple, don’t you?”

The Next Web notes, however, that despite the shut downs and Apple blocking his IP, Borodin is still processing free in-app purchases. He has allegedly moved his operation to an international server — outside of Russia — in order to throw Apple off his scent. Borodin has also figured out a way to process the transactions without having to access the App store, and forces users to sign out of their iTunes accounts so there are no tracks between him and Apple.

At the time, Apple spokesperson Natalie Harrison told VentureBeat, “The security of the app store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.”

Beyond stealing from Apple and its developers, however, finding a way around paying for in-app purchases is taking away some of the lifeblood of free-to-play apps. That is, many free-app developers rely on advertising and in-app purchases revenue to run their business. Having one of those taken away would undoubtedly severely affect that company’s P&L.

[youtube http://www.youtube.com/watch?v=2pnxj-Y_JVE]

via The Next Web

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.