Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
July 28, 2014
arrowPress Releases
July 28, 2014
PR Newswire
View All





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


iOS hacker circumvents in-app purchases, Apple working to shut him down
iOS hacker circumvents in-app purchases, Apple working to shut him down
July 16, 2012 | By Tom Curtis

July 16, 2012 | By Tom Curtis
Comments
    21 comments
More:



Apple has found itself in a bit of a bind these past few days, as a Russian hacker has found a way to work around the iOS in-app purchase system, allowing users to download premium content for free.

On Friday, hacker Alexey V. Borodin launched a service that enables consumers to avoid in-app purchases with any device running iOS 3.0 or higher. The hack is an obvious violation of Apple's policies, and could negatively affect developer revenues on the iOS app store. So far, the service has attracted more than 30,000 illicit payment requests, reports The Next Web.

Of course, Apple has now set its sights on Borodin, and has blocked the IP of the server he used to authenticate purchases. The company has also issued a request to take down the original server in hopes of preventing further violations.

For a time, Borodin was also accepting donations via his site, though PayPal recently put a block on his account for breaching its terms of service.

Meanwhile, the hacker has been working to stay one step ahead of Apple, and has since moved his service to a brand new offshore server, allowing him to continue operations. He told The Next Web that he's improved the service to the point where it no longer needs to interact with Apple's servers at all, making it even harder to shut him down.

Borodin seems unwilling to relent with his hack, and has said that if Apple wants to stop it, it'll need to update the API used for in-app purchases, or find some other means of blocking his service. As of this writing, the hack still works, leaving in-app revenues at risk for the time being.


Related Jobs

Bethesda Softworks
Bethesda Softworks — Richardson, Texas, United States
[07.28.14]

QA Supervisor
Big Viking Games
Big Viking Games — London, Ontario, Canada
[07.28.14]

Intermediate Software Developer
Lightside Inc
Lightside Inc — Mountain View, California, United States
[07.28.14]

Server Developer
Wargaming.net
Wargaming.net — Chicago, Illinois, United States
[07.28.14]

Lead Core-Tech Engineer










Comments


Cordero W
profile image
I cannot stop imagining the troll face pasted in place of his real face while I was reading this article.

Lucas Daltro
profile image
Ok we need o contract an ex-kgb to kill this guy!

Joe Wreschnig
profile image
Truly the only reasonable response to someone running a web API compatible with another web API is the death penalty. It's not even clear to me that what this hack does is illegal, rather than just violating Apple's ToS.

Toby Grierson
profile image
Thanks, Wreschnig. It's clear that Daltro was being completely serious in suggesting we hire a former Russian spy to assassinate an internet vandal. Nobody would ever joke about such a thing.

Kenneth Blaney
profile image
So is this supposed to be push back against the free-to-play model's alleged "piracy proof" nature? I can't think of any other rationalization (that hackers usually have) for something like this.

Joe Wreschnig
profile image
It also points out several major security flaws in Apple's IAP architecture. (And the current CA system, but everyone knows about those already...)

Victor Gont
profile image
Hackers rarely seem to have valid rationalizations behind their actions. They mostly do it because they can, to prove they can. Everything you hear after the fact is 'PR' crap or causes assigned to them by internet groups they might or might not be affiliated to.

Ian Uniacke
profile image
Yeah this is just because they don't want to spend money pure and simple.

"It also points out several major security flaws in Apple's IAP architecture"

I was thinking about this argument the other day, and it's completely bogus. If I throw a rock through your window and steal your TV I could say that "I'm just pointing out the security flaw in your house." Of course no security system is perfect, the only reason the standards seem to be held higher online is because you don't have to break in from a public place (eg the street in which the victims house is). This never makes it a justified action.

Joe Wreschnig
profile image
Except there's no "break in" here. You install something on a phone you own - you don't even have to jailbreak it - and that's it. No one took something away from someone else - they just sidestepped a transaction that usually adds some value to both sides, instead just gaining value on their own side.

I refuse to buy into the idea that ad blocking is theft. I refuse to buy into the idea that poking values into memory or disk files on a device I own is theft. At worst it makes you a jerk. Often it's a necessary step to make something usable (c.f. the state of web popups in 2001, PC gamers modifying configuration files in unsupported ways to make a game run, etc.).

If we must journey down the river of terrible physical analogies, it's like you visit an interior decorator, like their kitchen design, and remodel your own like it without hiring them. Does it make you kind of sleazy? Probably. (Are the majority of F2P payment schemes kind of sleazy? Probably.) Is it theft, or illegal? No. Should it be illegal? No way, consumer protections in this area have eroded more than enough already.

Maybe we can revisit this when players have legal protections against games closing without compensation for unspent scrip, or have the right to move games and data between all the devices they own, or the right to resell their digital games and scrip to other players. I can't feel very bad for game developers in this situation when the legal scales are tilted so far in their favor already.

Ferruccio Cinquemani
profile image
Interesting concept. It's not taking something that costed work and effort without paying. It's "sidestepping a transaction".

Seriously, this idea that vandalizing something has a value because it points to security flaw is disgusting. It's really like saying that the when mafia "offers" you "protection", they're giving a valuable service.

And pointing at questionable issues from the developers' side doesn't justify anything. Doing something wrong because someone else did something wrong doesn't make you right. It's just one of those rethorical tricks that you see politicians use: "We didn't keep our promises, but you raised taxes!". The hacker mindset sound, to me, like a huge collection of excuses and rationalization.

Mathieu Rouleau
profile image
Sounds like someone got lazy at Apple.

Megan Fox
profile image
30,000 people shipped him their AppStore credentials in the process. He'll be fine without PayPal - 30,000 people are probably about to find themselves buying all sorts of games tied to people working with him.

Ian Brown
profile image
Yes, yes, that's very clever of you, Alexey. Now please consider that you just eliminated enough revenue to keep a developer employed for a year or two.

In four days.

Keep ahead of Apple for a year and you'll mess with the livelihood of around 100 developers and artists in an industry that is already suffering. Heck, keep at it and you could slow or stop the feed of quality mobile games altogether.

E Zachary Knight
profile image
Or Apple could fix their API, then apologize to all those affected developers for their crappy insecure code.

While what this guy is doing is stupid, and harmful to the POTENTIAL revenue of a developer, his actual impact is probably fairly small.

Joe Wreschnig
profile image
Ian, do you use an ad blocker? Even just the pop-up blocker built in and turned on by default in every browser?

Why are you eliminating all that REVENUE?

Cordero W
profile image
To be honest, the mobile market is one of the worst places for monetary dependence. You don't make games to get rich. It's a benefit if you're lucky, but most of the time, it's not a road to paradise.

Ian Uniacke
profile image
"Or Apple could fix their API, then apologize to all those affected developers for their crappy insecure code."

What garbage. Please read my above comment for details. This is theft pure and simple.

Nick Meh
profile image
Not sure why anyone needs a hack to circumvent DLC for CSR Racing as they have in the picture.

Like most apps for iOS that sell game currency, they usually offer free coins daily, weekly, or monthly. In CSR's case, it's monthly. Simply change the date on your phone and enjoy free stuff.

Maybe the game chosen for the picture is bad, but hack app or not, most iOS games that rely on ingame currencies have plenty of work arounds without completely devious malicous coding.

Joe Wreschnig
profile image
Thanks for pointing that out, now the next iOS beta will probably forbid you from changing the date.

Got to protect that revenue stream!

Ian Uniacke
profile image
How dare developers expect to get paid for their work. They might even use that money to buy food and shelter for their families, the capitalist pigs.

Nick Meh
profile image
Yeah, I mean, yeah, Ian.

That wasn't the point. The point was you don't need to hack many systems because they are poorly implimented. In CSR Racing's case. They made a Free App for the iOS and their sole source of income is users buying a special ingame currency. This isn't foriegn, many apps rely on this type of system. 'The Burger is free. The Coke is $10.'

The currency can be used in place of the other earnable currency in game and can hurry the wait time on many things. Basically, they don't sell an advantage, they sell a resource to the impatient.

Unfortunately, to keep users coming back to their app, these type of apps offer free Currency give aways usually timed. That's why they want you to turn on Push Notifications so bad.

The problem with this system is, unless you are a mindly retarded 13 year girl, it probably didn't take you long beyond simple thought to just simply adjust your phone's date over and over to earn game currency.

Such is the problem with free apps relying on in game currency sales. They rely on their users not thinking in anyway shape or form.

So .... back to my original point that you missed.... this app hack sounds bad. I hope Apple finds a solution. However, the picture for the article is still stupid. If you need this hack for the app CSR Racing, you are retarded. No hack app needed. The game is poorly designed.

Understand?


none
 
Comment: