A Russian developer has discovered a method to circumvent Apple’s in-app purchasing process using an in-app proxy. Such online content can be stolen without the need for a jailbreak, and can be accomplished easily with any iOS device.
This method for obtaining free iOS apps was first published by hacker Alexey V. Borodin, who created the proxy called In-Appstore.com. It functions on devices that run iOS 3.0 to 6.0, and has since facilitated more than 30,000 illegal in-app purchases.
Stealing Apple’s content with this method is frighteningly easy; it does not technically hack into the user’s device. It bypasses Apple’s authentication controls for its in-app transactions, and directs requests to Borodin’s service instead. This transmits a receipt back to the device, fooling the app into believing that the user has purchased the content.
Borodin has reportedly said that no personal information is accessed through the use of his service. However, users should still beware because use of this service delivers their Apple ID and password.
Apple has been notified of this illegal service, and is currently investigating this security breach.