Late last week, we caught wind of a hack that allows iPhone users to receive content from in-app purchases without actually paying for it. Obviously, this is no good, and Apple announced today that it plans to fix the hack in iOS 6, which should be arriving sometime later this year. Of course, saying that it will fix the vulnerabilities in the next release of iOS doesn’t help much when developers are stuck dealing with this hack now, so Apple has also issued a temporary fix that should suffice until iOS 6 is available.
To make sure that you get the money from the content you offer in-app, Apple recommends that developers make use of its receipt validation system, which will compare in-app purchases made with the company’s own records to make sure that nothing fraudulent is going on. By doing this, developers have an extra layer of defense against the vulnerabilities, and should be covered until an official fix is issued along with iOS 6. Apple’s new support documentation goes into further depth about what developers can do to make sure that they aren’t being taken for a ride.
The hack itself allows users to bypass Apple’s validation servers when making an in-app purchase, instead using a proxy to connect to a third-party server and send bogus validation back to the app. This lets users receive the content without any money ever changing hands. It’s unclear how many iOS developers have been affected by this workaround, but CNET says that the number of fraudulent in-app purchases could be as high as 30,000.