30.000 de in-app purchase-uri au fost piratate in doar cateva ore folosind in-Appstore

  Am vorbit astazi despre sistmeul In-Appstore care va permite sa piratati in-app purchase-urile pentru aplicatii si acum va spun ca in cele cateva ore de la prezentarea sistemului si pana acum au fost inregistrate 30.000 de tranzactii pirat. Practic vorbim despre un interval de peste 6 ore in care posesorii de iDevice-uri au inregistrat peste 30.000 de tranzactii false prin sistemul de in-app purchase-uri al Apple si daca ar fi sa transformam tranzactiile in bani, atunci suma ar fi cu siguranta semnificativa.

As of earlier today, some 30,000+ in-app purchases have been made through Borodin’s service, which he says gathers no personal information from its users.

  Sistemul foloseste o vulnerabilitate a in-app purchase-urilor pentru a oferi utilizatorilor aceasta functionalitate si un dezvoltator sustine ca Apple poate rezolva totul prin imbunatatirea sistemului de criptare a datelor care se transmit intre iDevice si serverele companiei. Pana una alta, cred ca se vor inregistra foarte multe tranzactii cat sistemul va fi activ si desigur ca dezvoltatorii vor pierde destui bani.

The fact is, this would be easy for Apple to solve by providing a method for developers to validate IAP receipts using what’s called a “shared secret,” that is, a piece of information known to both Apple and the developer that is not exchanged as part of the validation process,” says developer Marco Tabini. “Coupled with another technique called “salting,” in which each communication is digitally signed in a time-sensitive way, this would make it much harder for someone to subvert the IAP process using a man-in-the-middle attack.