One reason Apple has never been to keen on the jailbreaking community is that there are always some folks out there that unlock their device in order to circumvent the App Store and install pirated apps. Some have also used jailbreaking as a way to avoid paying for in-app purchases while still downloading the additional content. Now it turns out that there’s another way to do that — without jailbreaking.
It’s a more complex process than the average iOS user would be inclined to undertake, and it involves accepting a certificate from a Russian developer’s server (which is not something security experts generally advise doing) and modifying DNS records under Wi-Fi settings on the target iOS device. Following the steps basically creates an in-app purchase proxy and allows content to be downloaded without a valid receipt from Apple. Unsurprisingly, the developer’s server has already buckled under the additional traffic it received in the hours following the hack’s publication.
The hack wasn’t 100% effective, however. Many users reported that it didn’t work in certain apps, which might have something to do with Apple’s iOS purchasing APIs. Apple has always provided a way for app publishers to validate digital receipts. However, it appears as though the decision to implement validation is left up to developers and is not yet mandated by Apple. That may change in the wake of this highly-publicized hack, of course.
If this turns out to be the case, it seems strange that Apple hasn’t required receipt validation for in-app purchases all along. After all, it’s not just developers and publishers who lose out when paid content is downloaded for free. Apple misses out on its 30% cut, too.
More at 9to5 Mac
Source: Article Source