Apple's In-App Purchase System Bypassed with Simple Tools; Is This The Next Attack Vector?

iPhone-4

As we have told all of you before no system is secure. We have watched now as Android malware writers are using social engineering to mass-market spam and now we are seeing the first proof of concept of a method to “hack” Apple’s In-App purchase feature. We mentioned in our recent coverage of the Anrdoid.Dialup malware that this feature was not only vulnerable, but also could be used as a vector for attack and the installation of other malware.

The hack found by Russian developer ZonD80 is present in all versions of iOS since the In-App purchase feature was introduced. It is also relatively simple to get around;
All you have to do is install a couple of certificates, (a Root CA and for the in-appstore.com)
Connect Via WiFi and change your DNS to 62.76.189.117
press the Like button and then enter your Apple ID and password.

The system relies on using a proxy (the site you just installed the certificates for) to bypass the normal Apple servers when you try to purchase items in your installed application base.  ZonD80 is also asking for donations to keep the servers running and also to help fund future development. We have a feeling that the site will not last long at all once Apple finds out about it. We know that multiple sites have already contacted them about it… so we are guessing that the service will last a couple of more days and be gone.

The problem is that this flaw has existed in the system and can be used for more malicious purposes. Can you imagine if a instead of hosting free items this was about scavenging user information (and it still could be). Or if this hack gets integrated into an app that slips by Apple’s censors like an earlier SMS spam system did. This type of vulnerability is a problem across all smartphones and is more to do with a lack of imagination than poor design. How many of Apple’s or Google’s engineers imagined that someone would come up with this? I do not think that any of them did. This is the basic problem with most IT security… it is the through process that “they would never think of that” that stops proper security. We know that mobile devices are the next big target for malware and cybercrime. They are in use more than almost any other device and people have a false sense of security when using them. That combination of mass-impact and naivety make for a very ripe playground for hackers and criminals.

Discuss this in our Forum

No comments

Leave your comment

In reply to Some User