Thursday 23 August 2012

In-app purchase vulnerability & MonoTouch

Earlier this year (around July) Apple announced that a vulnerability had been discovered in the in-app purchasing mechanism, which they discuss here. They provide some Objective-C code which:

  • Checks the information returned matches the information in the SKPayment
  • Checks that new transactions have a unique transaction ID
  • Verifies the SSL certificate
  • Verifies the receipt's signature

I've started a port of that code to MonoTouch, so far it only performs the first two mitigation steps. The VerificationController c# class is a gist.

Adding this code to a simple in-app purchase implementation would turn something like this:

into something like this:

where there is now an additional web request round-trip in your purchase code, plus a pile of comparisons to see whether the the StoreKit receipt matches the one you requested from iTunes directly. It also stores a list of every transaction ID in NSUserDefaults that is used to identify duplicates (which is an indication that the responses are being faked).

WARNING: the c# port currently only performs rudimentary checks comparing the receipt returned by StoreKit to one you've attempted to independently verify with iTunes. Without the SSL certificate and signature checks your code will still be vulnerable to sophisticated hacks on the DNS config to re-route requests and fake the responses. Please consider this a starting point for improving the security of your in-app purchase code.

NOTE: Apple says this vulnerability will be addressed in a future version of the operating system!

3 comments:

  1. Hi Craig, I had heard about this one some time ago. Did you port the rest of the checks across at all? If so, I'd love to hear how you went :)

    ReplyDelete
  2. Since iOS 6 was released I believe the issue has been addressed - I don't see Apple telling developers to use this workaround in iOS 6 apps. I didn't end up finishing the port :-\

    ReplyDelete
    Replies
    1. Cool - thanks Craig. Looks like you're in Sydney- good to know there are other MT guys in my area! We should get a meetup happening somewhere... :)

      Delete

Note: only a member of this blog may post a comment.