Recently, there’s been a lot of buzz about some security breaches affecting the iTunes App Stores on both iOS and the Mac. Apple has quickly responded to these flaws and has begun patching their stores to prevent these kinds of hacks in the future, but what has been revealed through these exploits is quite worrying. Let’s catch up on the story as it stands today and then explore some of the implications for developers and users.
Back in July, a Russian hacker named Alexey Borodin figured out a way to download In-App Purchases from any iOS title for free, without paying either Apple or developers. Apple responded by scrambling together fixes for this issue. While iOS 6 will bring a complete fix for this issue, currently the only protection for developers is to follow best practices by performing receipt validation on the developer’s server and then communicating that data to the App Store. Apps that communicate directly with the App Store may still be vulnerable, but with these updated APIs and methods, Borodin has decided to end his attacks on mobile devices. Instead, he has switched to targeting the Mac App Store using an application called “Grim Receiper.”
Although some people may think getting all In-App Purchases is a great deal, they may not be aware that by using Grim Receiper, they are sending their iTunes login information, including their password, to an unknown third party with each purchase. In addition, they are sending each application’s app restriction level, app id, version id, device GUID, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale.
While that may sound like a lot of personal information to be sending to Russian servers across the web, the really terrifying part is that Apple was, until now, transmitting all user data and passwords in plain text. They didn’t expect that data would ever have to get sent to any server other than their own, but that’s still a horrifying gap in security coming from Apple, a company that has traditionally taken user security very seriously. Apple has now begun encrypting the connection, but it may be too little too late in the eyes of many users.
Ethical issues aside, this raises some very serious security concerns and arrives alongside the well-known iCloud hacking of Mat Honan. Apple promises that full fixes for all this are coming in iOS and future versions of Mountain Lion, but they are now having to work to restore the confidence they’ve held from so many users for nearly a decade (the iTunes Store was launched in 2003).