

new iOS IAP hack (no jailbreak required) - bignoggins
http://gizmodo.com/5925795/this-method-to-get-iphone-and-ipad-in+app-purchases-for-free-is-surprisingly-easy

======
stevenwei
Isn't this only an issue if your app is submitting receipt validation requests
directly from the device to Apple's validation server? E.g.

    
    
      device -> itunes.apple.com/verifyReceipt
    

I thought the best practices for receipt validation involved having your app
submit the receipt to your own server first, and then performing the receipt
validation with Apple on the server side. E.g.

    
    
      device -> yourownserver.com -> itunes.apple.com/verifyReceipt
    

In which case, even if someone man-in-the-middle's apple.com on their device,
it doesn't affect the receipt validation that you perform server side. Or am I
misunderstanding something and the hack is occurring at a lower level than
that?

