Monday, July 16, 2012

Apple In-App purchasing hack? Naughty naughty ZonD80. (But good reveal!)

I'm too lazy to make a 'these are not the servers you are looking for ' pic :p

So i was introduced to an >Article< about how a Russian hacker has managed to perform man-in-the-middle attack methods to trick Apples servers used for handling transactions between users and the apps that they are performing in-game purchases within.

This >Article< from ItWire explains quite well how it came to be, though I have some additional thoughts on the matter. I thought where else better to air them than this here blog? ^.^

What the article touches on but does not explain in detail is the 'layers of security' that some app developers use. I'm not sure if this is the only form of protection against this, other than implementing extra steps in the process of making in-app purchases to verify the user and the transaction, but the area I am going to (briefly) discuss is that of where data is stored... Client side data storage, or server side data storage.

Whats the difference?

As best as I understand it (Correct me in the comments please if I am wrong!): Client side data storage is where chunks of user data are stored on the users device, and when the user uses the app and connects up to the internet with it. The client side storage could hold information of transactions performed, user scores, personal information, etc etc.

Server side storage is where this information is stored within the database server of the app making company or some 3rd party company.

When an app using client side storage connects up to the App database, only as much information as is required to reveal the identity of the device/account connecting is needed, and any data that is to be updated is done in the one chunk, not at regular intervals as with server side storage. This makes for a quick and simple set of communications. As you can imagine, with server side storage, the servers could be hammered if there is a large user base making regular updates to their account information.

The issue here arises when someone performs this Man-in-the-middle attack... The clients device attempts to connect to the servers database to perform a series of data transactions that are required to make the purchase, but instead meet the man-in-the-middle that appears to the clients device to be the servers they are looking for. It then completes the transaction. As the information is stored on the client side, many of the devices will then have the data they need to perform the in-game-update of gold, upgrades, whatever it is the user was wanting as the calculations are all done at their end.

So what can we learn from this?

Server side data storage is SLOWER but is MORE SECURE. I suppose you could think of it as a good old asset(?) triangle, or pyramid:

As they say - pick two of three. If you want fast and secure, it costs a lot. If you want secure and cheap, it will be slower and if you want fast and cheap (the standard I suppose if the data is not deemed a critical security asset) - then you lapse in security.

In conclusion:
So what can be done about this security issue?

Two things that I can think of. Either the app developers need to change the structure of their games - which may be difficult, if not impossible, or Apple needs to patch the system to prevent these security attacks from working.

I am not sure if ZonD80 - the Russian Hacker that got this working was looking to make a buck, show off, or was trying to point out the security flaws so that they can be patched. Kudos if he was making the reveal so it could be repaired, but I think from what i have read, he put tutorials up for others to use, he may have been being a little bit naughty naughty ^.^

-V

No comments:

Post a Comment