In ultima saptamana sistemul de piratare a in-app purchase-urilor aplicatiilor din App Store a devenit foarte popular, zeci sau poate chiar sute de mii de oameni fiind interesati sa afle cum il pot folosi. Pentru ca sistemul a devenit atat de popular, cei de la Apple au fost fortati sa il blocheze, insa deocamdata ofera dezvoltatorilor o metoda temporara de imbunatatire a securitatii aplicatiilor, urmand ca din iOS 6 problema sa fie complet rezolvata. Solutia temporara propusa de catre Apple se gaseste in aceasta pagina si ea teoretic ar trebui sa nu poata fi exploatata de hackeri, dar ramane de vazut daca acest lucru se va intampla sau nu.
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
Intr-o declaratie data celor de la cNET, un purtator de cuvant al Appe sustine ca intreaga problema va fi rezolvata complet de Apple in iOS 6 si ca dezvoltatorii nu ar trebui sa se ingrijoreze. Pana atunci utilizatorii se bucura de gratuitati, iar dezvoltatorii pierd sume deloc neglijabile de bani.
We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases,” Apple spokesperson Tom Neumayr told CNET. “This will also be addressed with iOS 6.
