

IOS 'in-app purchase' hack extended to include Mac App Store apps - hansy
http://www.forbes.com/sites/adriankingsleyhughes/2012/07/21/ios-in-app-purchase-hack-extended-to-include-mac-app-store-apps/

======
activepeanut
Apple says you should validate your purchases with your own server, which
should communicate directly with Apple's.

Seems to me like that's still secure.

~~~
kennywinker
This whole thing is overblown. For instance, another common technique with in-
app purchases is to store a "item-y-has-been-purchased" key in either the
NSUserDefaults or the keychain. Both of these are editable on jailbroken
phones.

In app purchase is inherently insecure, but who the hell cares? If you are
willing to go this far to get around paying, you're probably not going to pay.
It's called software piracy, and it's going to happen, no matter what you do.

~~~
activepeanut
One thing you can do, which may or may not help, is use the Keychain Services
API.

[http://developer.apple.com/library/ios/#DOCUMENTATION/Securi...](http://developer.apple.com/library/ios/#DOCUMENTATION/Security/Reference/keychainservices/Reference/reference.html)

It's more commonly used to store credentials, but it'll store whatever you
give it.

It's important to note, when using this API, that the data is NOT erased when
you erase the application. In other words, whatever way you save and restore
you data, you want it to be future-proof[1]. Because you can't tell the user
to delete the app, reinstall, and restore their purchases if something went
wrong.

[1] I personally stash a protocol buffer message inside an NSData for that
purpose.

But anyway, you're right.. whatever you do, pirating will happen.

------
littletables
Here is a much better version of this article (might be the original):

[http://www.zdnet.com/apple-mac-in-app-purchases-hacked-
every...](http://www.zdnet.com/apple-mac-in-app-purchases-hacked-everything-
free-like-on-ios-7000001323/)

------
coolnow
Let the idiots compromise their certs to get cheap apps for free. It'll cost
them in the long run when their details get stolen.

