It’s not a trend that gamers are especially ecstatic about, but in-app purchases (IAP) have become a major element of mobile gaming. It’s how many of the biggest games on the App Store stay afloat, but earlier this week, the developers at DigiDNA discovered a coding flaw that could allow hackers to steal thousands of dollars worth of IAP from popular games.
“Yesterday morning, while testing iMazing 1.3’s new app backup/restore feature, we realised that quite a few popular apps contain severe weaknesses in their in-app purchase (IAP) handling code, resulting in vulnerabilities which can easily be exploited to manipulate IAPs,” says the DigiDNA team.
After tweaking Angry Birds 2, the developers were able to start a new game with 999,999,999 gems, which serve as the premium currency in Rovio’s latest game. It would cost a user $10,000 to get that many gems legitimately.
The team says that the vulnerability has been accessible for quite some time, but in order to take advantage of it, users would have to edit and restore an iOS backup, which is relatively complicated and time-consuming.
Here’s the issue: the latest version of the iMazing app includes a feature that allows users to export the app’s state as a .imazingapp file, which can then be restored to an iOS 9 device “in barely a minute.” As DigiDNA explains, there was never any intent to make hacking easier, it’s simply a byproduct of the feature, so the team is doing everything in its power to get the word out so that other developers can address the issue promptly.
Not only does DigiDNA want developers to have time to fix the exploit, they also want users to know that this is not Apple’s fault. Coming off of the biggest malware attack in the history of the App Store, it might be tempting to connect the two, but it’s simply not the same issue.
“The vulnerability is not in iOS, but in the affected applications’ IAP handling code,” DigiDNA explains. “Purchased items should be stored in the keychain, or at least encrypted. The affected apps do neither, nor do they follow Apple’s recommendation to exclude purchased items from backups.”
We’ll see how quickly mobile developers respond.
