Click to Skip Ad
Closing in...
  1. Best Wireless Charger For iPhone
    13:04 Deals

    3-in-1 wireless charging station for Apple devices is down to $17 at Amazon

  2. Best TV Soundbar
    09:57 Deals

    Did someone make a mistake? There’s no way this soundbar should only cost $49.99

  3. Amazon Best Drone Deals
    11:50 Deals

    Amazon deal drops this top-rated foldable 1080p camera drone to just $49.99

  4. Amazon Echo Auto Price
    08:43 Deals

    Incredible Amazon deal adds hands-free Alexa to any car for $19.99

  5. Amazon Deals
    10:34 Deals

    Today’s best deals: Exclusive Prime-only sale, $50 camera drone, Alexa smart thermos…

iOS 9 code vulnerability lets hackers steal thousands of dollars worth of in-app purchases

September 24th, 2015 at 3:36 PM
iOS 9 In-app Purchases Hack

It’s not a trend that gamers are especially ecstatic about, but in-app purchases (IAP) have become a major element of mobile gaming. It’s how many of the biggest games on the App Store stay afloat, but earlier this week, the developers at DigiDNA discovered a coding flaw that could allow hackers to steal thousands of dollars worth of IAP from popular games.

READ MORE: Huge iOS 9 security flaw lets anyone see your photos and contacts without a PIN – here’s how to stop it

“Yesterday morning, while testing iMazing 1.3’s new app backup/restore feature, we realised that quite a few popular apps contain severe weaknesses in their in-app purchase (IAP) handling code, resulting in vulnerabilities which can easily be exploited to manipulate IAPs,” says the DigiDNA team.

After tweaking Angry Birds 2, the developers were able to start a new game with 999,999,999 gems, which serve as the premium currency in Rovio’s latest game. It would cost a user $10,000 to get that many gems legitimately.

The team says that the vulnerability has been accessible for quite some time, but in order to take advantage of it, users would have to edit and restore an iOS backup, which is relatively complicated and time-consuming.

Here’s the issue: the latest version of the iMazing app includes a feature that allows users to export the app’s state as a .imazingapp file, which can then be restored to an iOS 9 device “in barely a minute.” As DigiDNA explains, there was never any intent to make hacking easier, it’s simply a byproduct of the feature, so the team is doing everything in its power to get the word out so that other developers can address the issue promptly.

Not only does DigiDNA want developers to have time to fix the exploit, they also want users to know that this is not Apple’s fault. Coming off of the biggest malware attack in the history of the App Store, it might be tempting to connect the two, but it’s simply not the same issue.

“The vulnerability is not in iOS, but in the affected applications’ IAP handling code,” DigiDNA explains. “Purchased items should be stored in the keychain, or at least encrypted. The affected apps do neither, nor do they follow Apple’s recommendation to exclude purchased items from backups.”

We’ll see how quickly mobile developers respond.

Jacob started covering video games and technology in college as a hobby, but it quickly became clear to him that this was what he wanted to do for a living. He currently resides in New York writing for BGR. His previously published work can be found on TechHive, VentureBeat and Game Rant.

Popular News