Apple has advised app developers to point in-app purchases to their own servers in a bid to combat the loophole that allows them to be easily stolen.
A vulnerability in iOS 5.1 has recently been exploited to enable in-app purchases to be stolen from App Store titles, potentially costing developers millions.
The hack works by convincing the app that the purchase request comes from the App Store's own servers, which means the item can be obtained for free.
In a Q&A on its website, Apple says that best practice "for validating receipts is to send the receipt to your server, and have your server perform the validation with the App Store server."
Not a problem in iOS 6
Apple has now suggested a number of ways developers can combat the theft, while confirming that the issue will not be present in the forthcoming release of iOS 6.
A statement on its developers' website explains: "A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device.
An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
"iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack."
Via: 9to5Mac
