Apple In App Purchases Hacked ! -- How exposed are Corona SDK made apps ?

Solar2D Monetization (in-app purchases, ads, etc.)
#1

The following article talkes about a recent hack that robs app developers of revenue from Apple In app purchases:

http://www.macworld.com/article/1167677/hacker_exploits_ios_flaw_for_free_in_app_purchases.html

From the article :

Borodin’s hack doesn’t work for all in-app purchases. That’s because there are two ways for developers to validate the receipts they receive from Apple—from the iOS device or an the app’s own Web servers…

So Borodin’s hack works with purchases validated solely on iOS, because those purchases look only at the fake Apple server addresses the hack provides. Apps that instead rely on their own Web servers to validate receipts, of course, talk to the genuine Apple servers—which in turn respond that the receipts are invalid, since Apple didn’t really generate them. But Borodin says that the next phase of his hack will go one step further: “The future is to cache developers’ server responses,” he said, which would mean that even apps that validate on the Web would be at risk.
My Question is Does Corona SDK implementation if Apple In app purchases support both methods ? Especially the one that lets apps contact non-Apple servers to validate receipts ?

I assume that when Apple “fixes the problem” that Corona Labs will provide a prompt update so apps can be updated to be immune from the hack

thanks
Ken Cardita
Curved Light Solutions LLC
[import]uid: 112538 topic_id: 28629 reply_id: 328629[/import]

#2

Bump — two weeks and no comments?

Is this not a concern for IOS developers who use IAP ?

Ken [import]uid: 112538 topic_id: 28629 reply_id: 117579[/import]

#3

I’m sure Eric will weigh in here. But my own perspective on this is that everyone should report this to apple. Even if you think they already know about it.

As the article you linked to says, why should you give apple a 30% cut of your revenue if your missing out on it with hacks like this?

If everyone and their dog reported this stuff to apple, irregardless of the fact they already know about it, it will help push it as a critical must fix type case, that simply won’t be ignored by developers.

We shouldn’t need to validate the receipts ourselves, apple should do it and do it right.

Again all of this is solely my own opinion and doesn’t necessarily reflect the view of CoronaLabs. [import]uid: 84637 topic_id: 28629 reply_id: 117738[/import]

#4

First, you can already set up your own servers to do your own validation as Apple says if you really want to. You already get back the transaction receipts through the API.

But I agree with Danny that you should all be complaining to Apple by filing bug reports (especially since they get 30% and make you pay $99/year) and get them to make this both safer in iOS and easier/automatic to do instead of writing your own validation code. If you do it yourself, it is easy to do it wrong such as ending up preventing users from restoring purchases on other devices they own which violates the terms of the App Store.

Rumor has it that iOS 6 might do this, but your guess is as good as mine. If you want Apple to backport the fixes to iOS 5, you should complain to Apple about that too. (Though perhaps a more effective argument would be to get Apple to support iOS 6 on all current iOS 5 devices.)

[import]uid: 7563 topic_id: 28629 reply_id: 117767[/import]