When news hit this morning that a Russian hacker figured out a shockingly easy way to pirate most IAP that doesn't even require jailbreaking, we chatted a bit in the ol' TouchArcade command center and decided that it was in poor taste to post about. Unfortunately (or fortunately, depending on which way you look at this) additional details have come to light, and MacWorld actually got in touch with the guy behind the whole thing. The article goes into the how's and why's of the hack, and motivation is mind-boggling- Essentially boiling down to CSR Racing [Free] of all things.

The hack works by fiddling with some things on your device to trick apps into thinking that they're communicating with Apple's servers that handle IAP transactions. Typically, you hit the buy button on some IAP item, you enter your password, it ships all this off to Apple, Apple charges your iTunes account, and sends a response back to the app that you've bought that IAP. With the hack enabled, apps go through the same process, except instead of sending your login credentials to Apple, you're sending them to a server in Russia which issues the same "Hey, this user bought this IAP" response that Apple does without the whole charging your iTunes account part.

If it's not obvious, and aside from the whole piracy aspect, using this hack is an exceedingly bad idea because you are transmitting your iTunes account information to an unknown third party. In fact, the hacker behind the whole thing had zero issue flat-out telling MacWorld, and I quote, “I can see the Apple ID and password." While your actual billing information is safe, you're completely handing over the keys to your iTunes account. If you're OK with that, you've got to be pretty hard up for some free smurfberries.

Apple has yet to issue a response regarding this whole ordeal, but it wouldn't surprise me to see some action from them very quickly.

UPDATE: Apple just responded via the New York Times:

The security of the App Store is incredibly important to us and the developer community,” said Natalie Harrison, an Apple spokeswoman, in a statement. “We take reports of fraudulent activity very seriously, and we are investigating.

[via MacWorld]

  • http://twitter.com/oooooomonkey Oooooomonkey

    I'm actually really suppressed that nobody has figured this out before now. Wonder what action apple are going to take?

    • http://profile.yahoo.com/42YS2N67LP6IDUKBZUUCMSZW7M Pray For Death

      Probably a quick iOS update with "bug fixes". I don't expect them to release any statement on this hack. 

    • Hoggy110

      I've had a hack like this on my iPod for months now

    • Edward Dodson

      The hack has been on Cydia for over a year now...

  • http://www.facebook.com/profile.php?id=100000550362553 Klas Segeljakt

    I couldn't care less

    • http://toucharcade.com Eli Hodapp

      Yet you cared enough to comment. Will wonders never cease...?

      • http://www.facebook.com/profile.php?id=100000550362553 Klas Segeljakt

        Considering that iAP cracks have been available on jailbroken ios devices for several years, it's not very new to me.

  • itaintrite

    Piracy is bad. Yes.

    Okay, now that that's out of the way. I don't really think there's any risk to using this hack. You can easily create a fake itunes account. So what's the worst that can happen? Your fake account gets banned.

    Let's see how the developers handle this.

    • 11liker99

      Who in their rite mind would make a fake id?

      • csgbroseph

        Someone desperate for smurfberries

      • Greyskull

        There are plenty of people on these very boards who have second ID's, not necessarily "fake", but to grant them access to foreign app stores. I'm on my second because I shared my first with an (as of now, ex) girlfriend. Aside from remembering which ID was used to download which apps you have, it's a pretty simple thing to do, with the possible exception of having non-app (music,movies) purchases scattered about multiple accounts, since those items have confusing usage rights.

    • Esswasim

      Piracy is good becoz inapp purchases are ridiculously foolish

  • stormchild

    Anyone who gets burned by this totally deserves it.

    • munashe0

      I've gotten so much IAP (for free) and I still have my account (my real account).

  • ManuD

    lolz classic !!!

  • Castl3mania

    Gonna have to yawn on this one, if you dont want IAP hacked then start making full awesome games

    • gabriel_ca

      Right, because no one pirates full on awesome games.  The problem here isn't with the devs (and while freemium sucks balls, that's a whole other issue), it's with this culture that's been breeding that if you can rip someone off you should.

  • Kafu

    The flaw of "local receipt verification" was publicly known soon as IAP was made available by Apple (btw on jailbroken devices you can install the "hack" locally since 1-2 years). This is a major fault of Apple.

    The real problem of this hack now is how a fake iTunes server can be easily "accepted" by the device simply registering some extraneous certificates.

    I hope this will force Apple to definitely fix the bugged logic behind "local receipt verification".

    • http://www.vitaltitles.com/ Nick

      Yeah, the IAP hack has been well known, and if jailbroken it seems you don't need to enter your login details, completely unlike this one. I am not sure what the differences are, but sending your username and password to some random Russian HACKER is about as stupid as it gets. You're crazy to be that greedy.

      And outside of that, buying excessive IAP in most games is the quickest way to lose all enjoyment. I've made the mistake of dropping too much cash once and then afterwards, there was no more reason to put in time or energy into progressing in the game.

  • DecafTable

    There's no reason to buy IAP in most cases unless it's to unlock more of the game.

  • taragon99

    The real problem for Apple would be if they release the source for the server side code.  Then you could run it on your own computer knowing that your private information is safe.

  • http://profiles.google.com/hobeerg Arthur Shapoval

    There 2 hacks for free iap purchase. The other one doesn't ask for your password, so no one would get it. In my opinion whole dlc system is way more evil then piracy.

    • Maniacfive

      I agree. Developers getting paid for adding more content to a game as opposed to giving it away for free IS totally evil. How very dare they expect to get paid for their efforts.

      I imagine you only do volunteer work so as to avoid receiving any money for the work you do?

      • Greyskull

        Depends on the context. If my info wasn't sent in clear text to a server I had no reason to trust, I would use this in a heartbeat in two cases: to restore functionality to apps I've purchased which have, after being updated, stripped away features and put them behind a pay wall or have hadadded advertising added which can be disable via in-app purchase; in the case of false adverising, when I've been led to believe I've purchased a fully functional app and have discovered I haven't, since Apple seems to have no policy on what must be disclosed in iTunes app descriptions and even less when it comes to updates.

  • JesusBro

    none o this would be happenning if the freaking app developers werent so greedy and put IAP in almost all their games
    for real
    us buyers dont want to see IAP in our games period

  • callmericard0

    This is what happens when you market your games to an audience that just wants to 'play for free'.

    • http://twitter.com/Rage_boi Vince

      rofl...so true

    • Greyskull

      Or when you release an update for a paid (at least paid at some point in time) game that nerfs or injects adverts into a customer's purchase. And don't give me the "if you kept it on your device" BS; iDevices aren't desktops, you can't just throw in an extra terabyte of storage when it begins to get cramped for space...also, there's a little program called iTunes, where you can make purchases without them ever installing on your device...something a lot of devs seem oblivious to.

    • Esswasim

      I'm enjoying iapfree and I got most inapp purchases for free, if I buy those instead I will have to sell my home to but what I got with iapfree

  • HerbertKornfeld

    Interesting side note: Tilt to Live HD, which has always been free with an in-app unlock, has just recently changed from free to $4.99. I'm not certain that it's related, but it seems like it's a defensive move to combat this hack.

    Also, it's "Macworld", not "MacWorld".

  • http://pulse.yahoo.com/_CKBNMJGLGCBQOSH2BM264QIHLI Bridget

    This is why I have absolutely no respect for hackers.   None whatsoever.

    Oh, dont get me wrong.  IAP can be REALLY bad...... but the problem ones are pretty much ALWAYS from big (and rather stupid) publishers that are just trying to suck money away.   Many, many, MANY games on iOS are indie-developed, and the IAP may, in fact, be the ONLY way they can make money.  If you like the game at all..... BLOODY WELL SUPPORT IT.   Dont try to steal from them.   If you dont have the money at the time, FREAKING TOUGH.   Get some, and then go and buy it. 

    Anyone using this stupid, braindead trick (or any like it) deserves   A: to lose their account, B: to be banned from ever making another, and C: to be kicked REALLY HARD by a horse.   The horse then proceeds to wander over to the knocked-down hacker and jump up and down on them.   Maybe another kick thrown in for good measure.

  • TheGribble

    Without wishing to stir this nest-o-snakes up any further, what happens if you enter the wrong password? I'm assuming the password check happens on the server anyway if they bother sending it up.

  • Bob Mayer

    When you use this hack.. do you REALLY need to type your actual password?

  • Bob Mayer

    One of the interesting aspects of this to me is that so many developers have been moving to free apps with IAP unlocks in part to defend against piracy.  Oops.

  • http://twitter.com/jinchoung jin choung

    the biggest incentive not to do this aside from hackability from the russian side (and i'm not even gonna cite morality) is the potential APPLE RESPONSE.

    people have been banned from MMOs... it would be interesting to see apple just wholesale banning people from their appstore... nullifying all their devices including phones....

    not sure if they would... but they probably COULD...

    so big risk... literally cents in payoff?

    not a good gambit.

    • http://profile.yahoo.com/YXWW7GBVIUTV3F7KVEO5HISKNU Brandon B

      I hate fear mongering which is what this is...

      For the record, I don't agree with the hacking of IAP or even Hackulous for that matter. Stealing is stealing whether it's in an actual store or online.
      What makes the latter popular is its anonymity. Those who have the will to steal will likely choose to use false accounts. Even if you were absent minded enough to send your actual ITunes credentials, how would Apple know?. Apple would need to shut down the Russian server then gain access to their database or stored ITunes accounts before they could anything whatsoever.

      Those of you that hastily got caught up in this and made a poor decision, fear not of repercussions... change your ITunes password to something STRONG and maybe even change your email if you start getting Russian spam...and consider this lesson learned.

      • http://twitter.com/jinchoung jin choung

        first, stealing is not stealing... when it's copyright infringement.  there is a difference.  learn to appreciate the distinction now because you will be faced with it again and again when dealing to tech savvy people.

        second, fear mongering when there's actually a ten ton boulder hanging over your head by tooth floss is warranted.

        you DON'T know that there is not a way for apple to reconcile records from IAP credit card transactions.  there could be countless ways for apple to recreate a digital paper trail aside from raiding the russian servers... which in itself, while unlikely, is not impossible.

      • http://profile.yahoo.com/YXWW7GBVIUTV3F7KVEO5HISKNU Brandon B

        With all due respect to you personally I found your response intelligent but flawed...

        Semantics, Copyright infringement refers to the unauthorized use of works to reproduce or perform the copyrighted work or spread
        the information contained within copyrighted works.

        In this case, none of the above is taking place. The intellectual property is already on your device. Not one bit of the the copyright material is being transferred or shared here. As the article states, a username and password sent to a foreign third party server that returns a standard response that the application sees as valid.

        But let's say that this most closely falls under Copyright Law for a moment. The law in most countries then states that enforcement falls to the responsibility of the copyright holder. Assuming we are referring to the application with the IAP as the infringed work then it would be the Publisher that would need to enforce the law. Apple takes a 30% cut from every app store purchase so they would simply turn to the publisher for the 30% cut that they are owed and leave the publisher to enforce the infringement.

        Even if Apple did decide to be more involved, perhaps due to a reputation standpoint. I return to my previous argument. Based on the content of the article, how could their be any repercussion as the digital paper never passes through an apple server. How do you propose Apple identify the infringing users if the transaction and the data associated with it never touches them. They only way to do so is at the source.

        Finally in keeping with the idea that this is copyright infringement, then by definition this is not even illegal in some countries including Russia or Canada. Canadian users would have no concern. In Canada it is not illegal to download or copy any copyright material for personal use.

        So maybe the boulder only hangs above some heads. Me, I don't need to look up but then I don't steal.

  • BaronKrause

    31 Comments and not one mention of the awesome Hackers picture used?
    You should all be ashamed :P

    • http://profile.yahoo.com/YXWW7GBVIUTV3F7KVEO5HISKNU Brandon B

       It's missing Angelina Jolie.

  • munashe0

    Lol, I've known how to do this for over 6 months.

    • http://twitter.com/NillaKig Darnel Johnston

      no you haven't know how to do this for 6 months, if you're talking about cydia hack it's not the same. 

  • http://twitter.com/DomsLife Dominic

    Whats the pic in this post from?

  • DCver3

    So no one here ever speeds? In there ton-and-a-half vehicles...that could easily kill someone...I'm not saying stealing is right by any means but get off your damn pulpits. If you're from the States especially as we're all thieving liars in this country anyway. You're pissed someone's stealing when the rare earth metals used in the phone your holding is mined by children at gunpoint. Grow the hell up...

  • http://www.facebook.com/allan.curtis1 Allan Curtis

    with iap garbage polluting every single game is ee nowdays i can see why this ios justified. I am completely tired of having games nickle and dime me for basic content and seeing shop buttons in every game including single player retro rpgs such as ash 2. Its revolting.

    • http://www.facebook.com/profile.php?id=701025869 Paul Summerfield

      I agree you with on this, it really ruins a game when they are trying get you to spend real money to enjoy the game more..... Luckly not all devs are doing this and are creating cool games and releasing updates and content with out charging you extra $$. So hopefully the trend will just kinda fail over time.

  • http://www.facebook.com/profile.php?id=701025869 Paul Summerfield

    Man this hack screws over the people that need the money most, The developers, Obversely apple doesnt need the money, but the people who put all the hard work into creating the game or app in the first place get ripped by Piracy. I like to support the games companies that i buy their awesome games from. (and only payed $1- $5 for) alot less then games on the handhelds and consoles and most of the time alot more enjoyable too!

  • chief78

    Who, in their right mind, would hand over their apple id and password?? Foolish, irresponsible, and of course illegal. We may not all like IAP (I hate it), but it beats having personal info stripped..

  • Esswasim

    Charge me Rs 50 and I will buy your game, charge me more than that I will get it for free

  • Dre Blagburn

    Actually your not supposed to enter you Apple ID password. You simply hit cancel and it gives you whatever you "purchased".