This week the Russian fellow known for his hacking of the in-app purchase function for Apple’s mobile operating system has declared that “it’s all over.” He added “…for now” to his chat on the subject, saying that he’ll still be keeping his exploit up for download even though it no longer works in the current version of Apple’s iOS. Alexey Borodin, as he’s known, will be working to keep security strong in the system – such is his ultimate goal, or so he says.
The hack that Borodin used had him only needing a receipt with which he could then authenticate a purchase. He used a fake in-app purchase server, a custom DNS server, and some emulation of Apple’s verification process to make his whole system work. With this system outside of Apple’s control, many 3rd party attacks could very well go on with exploits galore – on either end of the equation.
Today Borodin has found that Apple’s solution to the exploit he discovered is very much a solution to the possible problem. He’s declared that iOS 6 is indeed as safe as Apple can make it, for now, and that he’ll continue work once the next version appears on actual non-beta devices.
“By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money.” – Borodin
Stay tuned as Apple continues to tweak their systems and security becomes more and more powerful in the face of not-so-awesome hacks and exploits. Check the timeline below to see the history of this particular situation.