A Russian hacker has figured out a way to get in-app purchases on iPhone and iPad for free, and it doesn’t involve jailbreaking your device.
What’s more, the hacker, Alexey Borodin, has released the information over the internet. Meaning, if you were so inclined, you could try to get something for nothing yourself.
Borodin has created a server, which he hosts himself, tricking your device into thinking that payment for the in-app purchase (IAP) has been made legitimately. You’ll need to chance your DNS settings for it to work, but various users across the net are reporting success with Borodin server.
Borodin explains that CSR Racing was the catalyst for his desire to hack the system.
“I set this up due to hungry and lazy developers,” Borodin said. “I was very angry to see that CSR Racing developer taking money from me every single breath.”
I play CSR Racing and I see his point, the microtransaction policy implemented in that game does the straddle the boundary between acceptable and a piss-take.
There are currently two ways for app developers to integrate IAPs into their software, and Borodin’s system is only able to bypass one of them. Although, he does promise that a future project will unlock IAPs in all apps.
In a statement, Apple said that it is “investigating” the breach and will likely need to change the methods developers use to validate IAPs.