If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(BGR)   IPhone hacker shows the world how to steal in-app purchases [video]   (bgr.com) divider line 24
    More: Interesting, iPhone, application software, BGR, DNS, Apple TV  
•       •       •

4009 clicks; posted to Geek » on 13 Jul 2012 at 12:30 PM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



24 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-07-13 12:37:39 PM  
I would do this if I owned an iPhone

/totes jelly of roommates GS3
//POS sidekick 4g was a MISTAKE to purchase
 
2012-07-13 12:44:25 PM  
Alerting our developers. Wacky stuff.
 
2012-07-13 12:49:12 PM  

neuroflare: I would do this if I owned an iPhone

/totes jelly of roommates GS3
//POS sidekick 4g was a MISTAKE to purchase


I want the new Gamsung Salaxy too!!!
 
2012-07-13 12:53:17 PM  
Get used to this Apple. Just as Microsoft was constantly under attack due to their dominance in the market, now iOS is going to be the popular target as mobile supplants desktops.
 
Juc
2012-07-13 12:55:01 PM  
Bah, it's hard enough to pay the bills making iOS apps as it is.

I don't think the usage of this will be much worse than piracy elsewhere though.
I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.
 
2012-07-13 01:11:47 PM  
www.brokenequipment.com
 
2012-07-13 01:18:14 PM  
This requires rerouting all your info through a third party russian hackers webserver, how about you all just photocopy your credit cards, ssn, and birth certificate and send them to me.
 
2012-07-13 01:18:21 PM  
The way we provision services for mobile devices hasn't changed since we built the first platforms for MMS delivery in the early 2000s. The app-store uses the same method that everyone else uses.. What this means is that while you may be able to trick the software into not charging you the CDR (call detail record) will still be created. There is probably something that prevents that particular CDR from being processed because it's being considered an internal "test" device - the phone in this article appears to be spoofing itself as a test device. However all Apple has to do is process those CDRs (which will be backed up somewhere for years) and they will get their revenue. Which means doing this will most likely see you get charged for it.. and that could be a pretty nasty surprise if you think you're getting 100s of dollars in free crap.
 
2012-07-13 01:18:24 PM  

indoorplant: [www.brokenequipment.com image 640x480]


iBroke?
 
2012-07-13 01:20:21 PM  
Oh, is that why itunesconnect.apple.com keeps timing out on me today?

In any case, this exploit can only work on IAP content that's bundled within the app and unlocked by paying for it. For IAP content that's downloaded from external servers hosted by the app publisher, susceptibility will depend on the security measures implemented by the publisher.
 
2012-07-13 01:27:09 PM  

Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.


A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)
 
2012-07-13 01:58:20 PM  

poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)


Why not use ARC? Memory leaks in Objective-C are pretty easy to catch. It's when you start passing around between C and Obj-C that stuff gets confusing pretty fast.

BTW, App Developers: If you coded your application properly, you wouldn't have to worry about this. You always should have checked to see if your receipts matched. This has been SOP since In App Purchases came around.
 
2012-07-13 01:59:00 PM  

poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)


Clarification: iOS apps save state and close when you return to the home screen. The only exception is if they use one of the specific APIs, in which case only that thread is allowed to keep running while the rest of the app shuts down.

More info: http://charlesesmith.net/post/11244398163/ios-multitasking
 
2012-07-13 02:07:48 PM  

poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)


Good luck finding A programmer to write code with no memory leaks. It's almost impossible to stop them all.
 
2012-07-13 02:16:58 PM  

phimuskapsi: poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)

Good luck finding A programmer to write code with no memory leaks. It's almost impossible to stop them all.


As someone who used to do assembly programming for automotive hardware, what is this memory leak you speak of? Nothing we ever did went into production with them. Something faulting at 70 mph is bad.

/high level programming problems are like 1st world problems
 
2012-07-13 02:18:45 PM  

indoorplant: [www.brokenequipment.com image 640x480]


Did a phone with Gorilla Glass do that to that phone?
Link
Link
 
2012-07-13 02:42:49 PM  
As an equal opportunity hater of giant corporate OSs (who uses both Windows and OSX quite a bit) I'm glad to see that Apple's learning... with great marketshare comes great attempts at hacking your shiat.

/I imagine it's only a few years until the rank and file mac user realizes that their computers are vulnerable to nefarious actions.
 
2012-07-13 03:02:20 PM  
This is brilliant... Steal a bunch of purchases and install them on a device that is connected to a network that you have a contract with, identifying you by name, address, and possibly credit card number, and the device constantly phones home, providing your account name and list of installed apps to search for updates, and is essentially useless if you disable it from ever connecting to a WiFi or cellular network.
There are no foreseeable downsides to this whatsoever, and anyone who doesn't do it is a fool.
 
2012-07-13 03:20:50 PM  

servlet: poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)

Clarification: iOS apps save state and close when you return to the home screen. The only exception is if they use one of the specific APIs, in which case only that thread is allowed to keep running while the rest of the app shuts down.

More info: http://charlesesmith.net/post/11244398163/ios-multitasking


Most *NIX OSes do this for memory management. Including iOS and Android. Task killers are a bane of existence. And if it's not actively doing something (like updating a file, downloading something, processing data) it is dormant in the background. If it's waiting for user input, it will sit and be idle, taking up no CPU cycles, no power, only memory space. And if an active application needs that memory space, it is cleared.
 
2012-07-13 03:38:33 PM  
Apple provides in the XCode development kit (used for all iPhone/iPod/iPad development) a way to actually check the validity of in-app purchases, and has for a while.

This 'hack' can only work against developers who are too lazy to have implemented the check and only have themselves to blame.
 
2012-07-13 04:29:43 PM  

dr.zaeus: neuroflare: I would do this if I owned an iPhone

/totes jelly of roommates GS3
//POS sidekick 4g was a MISTAKE to purchase

I want the new Gamsung Salaxy too!!!


Typing on one right now. Had it for 3 days. Best phone I have ever used.
 
2012-07-13 05:11:38 PM  

phimuskapsi: poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)

Good luck finding A programmer to write code with no memory leaks. It's almost impossible to stop them all.


Well yeah, but that's because I don't think anyone uses A (APL) anymore, though it did inspire a few modern languages :) Of course, in anything this side of C, your only excuse for leaking memory like a sieve is carelessness.

/Off to clean up a double free
 
2012-07-13 05:36:41 PM  
Why bother with that when you can just write to the program's memory with task_for_pid() and vm_write()? No legal issues in that case, so long as it's not breaking a copy protection.
 
2012-07-13 05:46:22 PM  

phimuskapsi: poot_rootbeer: Juc: I still know people that still don't know how to fully close apps on their iPhones, even after I showed them how.

A properly designed iOS app should never have to be "fully closed". (I'm not claiming that most iOS apps are properly designed. Good luck finding Objective-C devs with enough experience to write code with _no_ memory leaks.)

Good luck finding A programmer to write code with no memory leaks. It's almost impossible to stop them all.


Learn to code.
 
Displayed 24 of 24 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report