Apple Trying, But Not Yet Succeeding, to Take Down In-App Hacker

Apple has tried several methods to block both a hacker that last week announced a scheme that allows users to get in-app content without paying for it. So far, however, Apple has not yet succeeded in taking it down completely.

Apple looking into hack that lets users buy in-app content without payingApple looking into hack that lets users buy in-app content without paying

First came the announcement on Friday from the hacker ZonD8o that by installing some certificates and changing DNS settings, users could acquire in-app content without paying for it, all without jail breaking their iOS device.

That caught Apple’s attention and later that day the company had already begun investigating the issue.

By Monday, Apple had taken several steps to thwart the hacker and those who would avail themselves of the service. According to The Next Web, the hacker had been identified as Alexey V. Borodin and Apple was blocking the IP address of his server. They had also requested a video showing the method be taken down, and PayPal was blocking an account used for donations, claiming a violation of terms of service.

Borodin had responded by moving his server off shore so as to evade Apple’s requests. He’s also “improved” the protocol to eliminate Apple’s servers and use his own authorization and transaction processes. Part of that new process requires users to sign out of their iTunes accounts before taking advantage of the hack. The Next Web quotes Mr. Borodin as saying the reason for that is, “…so they don’t scream to the Internet that I am stealing their credentials.”

Even with the back and forth maneuvering, Mr. Borodin claims he has not been contacted by Apple. He wants Apple to make changes to its APIs to address the issue or otherwise block the exploit.

The service remains available for the time being. However, Borodin is unabashedly flaunting App Store rules, denying revenue to developers as well as Apple, moving his resources to unspecified locations, and using a private account for payments. While he claims he isn’t stealing users private data, there is no reason to trust a statement that comes from someone exhibiting such untrustworthy behaviors.

Image made with help from Shutterstock.