A Russian programmer has released a hack that compromises iOS security and allows users to access paid in-app content for free.
The developer posted a video, which was picked up by the Russian blog i-ekb and reveals an in-app proxy, which can be performed without jail breaking the iOS device.
The proxy system sends purchase requests to third-party servers, which are then validated and sent back as approved transactions, according to the 9to5mac's report.
The trick doesn't just work on apps themselves. In-apps are used by Apple's Newsstand to buy subscriptions for individual magazines and works on all versions of IOS from 3-6.
The only catch is that users have to upload security certificates before they can access the proxy server. The developer has also set up a Website for donations to run the proxy servers that are required for the scam to work, according to CNET.
The steps to carry out the hack are as follows, although they are not recommended as login details for your Apple account are required and can easily be stolen and misused.
Install two certificates: CA and in-appstore.com
.Connect via Wi-Fi network and change the DNS to 126.96.36.199.
Press the Like button; enter your Apple ID and password.
Meanwhile iOS app developers should be warned about the fake in-app purchases while they wait for Apple to fix the security flaw. 9To5mac has listed the data being accessed by the proxy server as follows:
Restriction level of app
-Id of app
-Id of version
-Guide of your device
-Quantity of in-app purchase
-Offer name of in-app purchase
-Language you are using
-Identifier of application
-Version of application
The site also reports that the method does not work for all apps and since the hack has been released, more purchases are failing, which suggests that either Apple or the developers have caught on.