A Russian developer has discovered a way to access iOS in-app content without paying for it.
As reported by 9to5Mac, which picked up the story from Russian blog i-ekb.ru, the hack doesn't require a great deal of skill and can be pulled off in three steps. It works on devices running iOS 3.0 and above.
The developer, known as ZonD80, operates In-AppStore.com. His three-step process to avoid in-app payments includes installing CA and in-appstore.com certificates as well as changing the DNS record in Wi-Fi settings, 9to5Mac said.
Once that's installed, users will see a different pop-up message when trying to make in-app purchases. Rather than the usual request for password and confirmation from Apple, a window (above) will pop up that says "Like in-appstore.com?" There's the option to choose a "LIKE" button on the right or another button (in Russian) on the left. Choosing "LIKE" reportedly accesses the in-app content for free. For more, see the video below.
One workaround might be to take advantage of an Apple program that allows developers to verify in-app purchase receipts. According to comments on 9to5Mac, the hack does not work on apps from developers who use this functionality.
9to5Mac said it is publicising the hack to help developers safeguard their products, and asked that readers not try it. Likewise, we do not condone piracy or theft.
Apple did not immediately respond to a request for comment. But in a statement provided to The Loop, the company said "the security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating."
In-app purchases have been available via Apple's App Store since October 2009. Last year, amidst concerns that children and other users were making unwanted in-app purchases on users' accounts, Apple added a password requirement for in-app purchases with iOS 4.3.