Apple has found itself in a bit of a bind these past few days, as a Russian hacker has found a way to work around the iOS in-app purchase system, allowing users to download premium content for free.
On Friday, hacker Alexey V. Borodin launched a service that enables consumers to avoid in-app purchases with any device running iOS 3.0 or higher. The hack is an obvious violation of Apple's policies, and could negatively affect developer revenues on the iOS app store. So far, the service has attracted more than 30,000 illicit payment requests, reports The Next Web.
Of course, Apple has now set its sights on Borodin, and has blocked the IP of the server he used to authenticate purchases. The company has also issued a request to take down the original server in hopes of preventing further violations.
For a time, Borodin was also accepting donations via his site, though PayPal recently put a block on his account for breaching its terms of service.
Meanwhile, the hacker has been working to stay one step ahead of Apple, and has since moved his service to a brand new offshore server, allowing him to continue operations. He told The Next Web that he's improved the service to the point where it no longer needs to interact with Apple's servers at all, making it even harder to shut him down.
Borodin seems unwilling to relent with his hack, and has said that if Apple wants to stop it, it'll need to update the API used for in-app purchases, or find some other means of blocking his service. As of this writing, the hack still works, leaving in-app revenues at risk for the time being.
Truly the only reasonable response to someone running a web API compatible with another web API is the death penalty. It's not even clear to me that what this hack does is illegal, rather than just violating Apple's ToS.
Thanks, Wreschnig. It's clear that Daltro was being completely serious in suggesting we hire a former Russian spy to assassinate an internet vandal. Nobody would ever joke about such a thing.
So is this supposed to be push back against the free-to-play model's alleged "piracy proof" nature? I can't think of any other rationalization (that hackers usually have) for something like this.
Hackers rarely seem to have valid rationalizations behind their actions. They mostly do it because they can, to prove they can. Everything you hear after the fact is 'PR' crap or causes assigned to them by internet groups they might or might not be affiliated to.
Yeah this is just because they don't want to spend money pure and simple.
"It also points out several major security flaws in Apple's IAP architecture"
I was thinking about this argument the other day, and it's completely bogus. If I throw a rock through your window and steal your TV I could say that "I'm just pointing out the security flaw in your house." Of course no security system is perfect, the only reason the standards seem to be held higher online is because you don't have to break in from a public place (eg the street in which the victims house is). This never makes it a justified action.
Except there's no "break in" here. You install something on a phone you own - you don't even have to jailbreak it - and that's it. No one took something away from someone else - they just sidestepped a transaction that usually adds some value to both sides, instead just gaining value on their own side.
I refuse to buy into the idea that ad blocking is theft. I refuse to buy into the idea that poking values into memory or disk files on a device I own is theft. At worst it makes you a jerk. Often it's a necessary step to make something usable (c.f. the state of web popups in 2001, PC gamers modifying configuration files in unsupported ways to make a game run, etc.).
If we must journey down the river of terrible physical analogies, it's like you visit an interior decorator, like their kitchen design, and remodel your own like it without hiring them. Does it make you kind of sleazy? Probably. (Are the majority of F2P payment schemes kind of sleazy? Probably.) Is it theft, or illegal? No. Should it be illegal? No way, consumer protections in this area have eroded more than enough already.
Maybe we can revisit this when players have legal protections against games closing without compensation for unspent scrip, or have the right to move games and data between all the devices they own, or the right to resell their digital games and scrip to other players. I can't feel very bad for game developers in this situation when the legal scales are tilted so far in their favor already.
Interesting concept. It's not taking something that costed work and effort without paying. It's "sidestepping a transaction".
Seriously, this idea that vandalizing something has a value because it points to security flaw is disgusting. It's really like saying that the when mafia "offers" you "protection", they're giving a valuable service.
And pointing at questionable issues from the developers' side doesn't justify anything. Doing something wrong because someone else did something wrong doesn't make you right. It's just one of those rethorical tricks that you see politicians use: "We didn't keep our promises, but you raised taxes!". The hacker mindset sound, to me, like a huge collection of excuses and rationalization.
30,000 people shipped him their AppStore credentials in the process. He'll be fine without PayPal - 30,000 people are probably about to find themselves buying all sorts of games tied to people working with him.
Yes, yes, that's very clever of you, Alexey. Now please consider that you just eliminated enough revenue to keep a developer employed for a year or two.
In four days.
Keep ahead of Apple for a year and you'll mess with the livelihood of around 100 developers and artists in an industry that is already suffering. Heck, keep at it and you could slow or stop the feed of quality mobile games altogether.
To be honest, the mobile market is one of the worst places for monetary dependence. You don't make games to get rich. It's a benefit if you're lucky, but most of the time, it's not a road to paradise.
Not sure why anyone needs a hack to circumvent DLC for CSR Racing as they have in the picture.
Like most apps for iOS that sell game currency, they usually offer free coins daily, weekly, or monthly. In CSR's case, it's monthly. Simply change the date on your phone and enjoy free stuff.
Maybe the game chosen for the picture is bad, but hack app or not, most iOS games that rely on ingame currencies have plenty of work arounds without completely devious malicous coding.
That wasn't the point. The point was you don't need to hack many systems because they are poorly implimented. In CSR Racing's case. They made a Free App for the iOS and their sole source of income is users buying a special ingame currency. This isn't foriegn, many apps rely on this type of system. 'The Burger is free. The Coke is $10.'
The currency can be used in place of the other earnable currency in game and can hurry the wait time on many things. Basically, they don't sell an advantage, they sell a resource to the impatient.
Unfortunately, to keep users coming back to their app, these type of apps offer free Currency give aways usually timed. That's why they want you to turn on Push Notifications so bad.
The problem with this system is, unless you are a mindly retarded 13 year girl, it probably didn't take you long beyond simple thought to just simply adjust your phone's date over and over to earn game currency.
Such is the problem with free apps relying on in game currency sales. They rely on their users not thinking in anyway shape or form.
So .... back to my original point that you missed.... this app hack sounds bad. I hope Apple finds a solution. However, the picture for the article is still stupid. If you need this hack for the app CSR Racing, you are retarded. No hack app needed. The game is poorly designed.
"It also points out several major security flaws in Apple's IAP architecture"
I was thinking about this argument the other day, and it's completely bogus. If I throw a rock through your window and steal your TV I could say that "I'm just pointing out the security flaw in your house." Of course no security system is perfect, the only reason the standards seem to be held higher online is because you don't have to break in from a public place (eg the street in which the victims house is). This never makes it a justified action.
I refuse to buy into the idea that ad blocking is theft. I refuse to buy into the idea that poking values into memory or disk files on a device I own is theft. At worst it makes you a jerk. Often it's a necessary step to make something usable (c.f. the state of web popups in 2001, PC gamers modifying configuration files in unsupported ways to make a game run, etc.).
If we must journey down the river of terrible physical analogies, it's like you visit an interior decorator, like their kitchen design, and remodel your own like it without hiring them. Does it make you kind of sleazy? Probably. (Are the majority of F2P payment schemes kind of sleazy? Probably.) Is it theft, or illegal? No. Should it be illegal? No way, consumer protections in this area have eroded more than enough already.
Maybe we can revisit this when players have legal protections against games closing without compensation for unspent scrip, or have the right to move games and data between all the devices they own, or the right to resell their digital games and scrip to other players. I can't feel very bad for game developers in this situation when the legal scales are tilted so far in their favor already.
Seriously, this idea that vandalizing something has a value because it points to security flaw is disgusting. It's really like saying that the when mafia "offers" you "protection", they're giving a valuable service.
And pointing at questionable issues from the developers' side doesn't justify anything. Doing something wrong because someone else did something wrong doesn't make you right. It's just one of those rethorical tricks that you see politicians use: "We didn't keep our promises, but you raised taxes!". The hacker mindset sound, to me, like a huge collection of excuses and rationalization.
In four days.
Keep ahead of Apple for a year and you'll mess with the livelihood of around 100 developers and artists in an industry that is already suffering. Heck, keep at it and you could slow or stop the feed of quality mobile games altogether.
While what this guy is doing is stupid, and harmful to the POTENTIAL revenue of a developer, his actual impact is probably fairly small.
Why are you eliminating all that REVENUE?
What garbage. Please read my above comment for details. This is theft pure and simple.
Like most apps for iOS that sell game currency, they usually offer free coins daily, weekly, or monthly. In CSR's case, it's monthly. Simply change the date on your phone and enjoy free stuff.
Maybe the game chosen for the picture is bad, but hack app or not, most iOS games that rely on ingame currencies have plenty of work arounds without completely devious malicous coding.
Got to protect that revenue stream!
That wasn't the point. The point was you don't need to hack many systems because they are poorly implimented. In CSR Racing's case. They made a Free App for the iOS and their sole source of income is users buying a special ingame currency. This isn't foriegn, many apps rely on this type of system. 'The Burger is free. The Coke is $10.'
The currency can be used in place of the other earnable currency in game and can hurry the wait time on many things. Basically, they don't sell an advantage, they sell a resource to the impatient.
Unfortunately, to keep users coming back to their app, these type of apps offer free Currency give aways usually timed. That's why they want you to turn on Push Notifications so bad.
The problem with this system is, unless you are a mindly retarded 13 year girl, it probably didn't take you long beyond simple thought to just simply adjust your phone's date over and over to earn game currency.
Such is the problem with free apps relying on in game currency sales. They rely on their users not thinking in anyway shape or form.
So .... back to my original point that you missed.... this app hack sounds bad. I hope Apple finds a solution. However, the picture for the article is still stupid. If you need this hack for the app CSR Racing, you are retarded. No hack app needed. The game is poorly designed.
Understand?