A Russian developer shook the iOS community for releasing a hacking tool that could bypass in app purchases on App Store few days ago. His disturbing tip caused Apple to intervene and counteract his method of purchasing paid apps where users can obtain them for free. This purchasing mechanism triggered Apple to thwart this method using a new field called “unique identifier.”
What’s in it for us? Well, if you take a morsel of this purchasing mechanism, you can download paid apps on the App Store for free without jailbreaking your device. This method involves installing a pair of certificates on your device and paired up with a custom DNS entry. You can install apps directly on your iOS device while the method redirects you through the hacked system.
What’s in it for the developer? Well, if you use this method, aside from the fact that it actually involves theft content from the developers, you are at risk of disclosing your personal information to the hacker’s servers during the process. And for donation, the hacker received $6.78 for this cost through Paypal. That’s not all, in an interview with MacWorld and developer Alex Bodin, he said,
“I can see the Apple ID and password,? for accounts that try the hack, Borodin told Macworld. ?But not the credit card information.? Borodin said that he was ?shocked? that passwords were passed in plain text and not encrypted. “
To thwart this method, Apple includes a unique identifier in validation receipts for securing In App Purchases. MacRumors received a report that “developers are now seeing something along those lines coming from receipts issued by Apple since late yesterday.”
Basically, the receipts carry this new field. It’s your device “Unique Device Idenitifier” or UDID for obtaining In App Purchase.
Since apps no longer collect the UDID, its current usage is still unclear whether Apple will use this as the first step in securing transactions in the long run, or if it is temporarily used to identify those users who have shared receipts with the hacker in that method.