Over the last few months, exploits and holes in the payment process for in-app purchases have allowed mobile users to obtain premium content for free, bypassing the need to pay for additional material. Applications such as In-appstore.com for iOS and Freedom for Android exploit security holes in each operating system to enable free purchase of much premium and additional in-app content, depriving developers of significant amounts of revenue.
With gaming and software companies heavily invested in the mobile space, apps are now the de rigueur for every major film, television show, or music artist, and new albums even being pre-released exclusively via apps. The security of the app distribution process is of major commercial importance. In the last couple of years, app developers have increasingly turned to a 'freemium' model for app distribution: a free app download with in-app purchases gathering revenue from active users. This strategy has proved very successful. For instance, over three-quarters of all iOS app revenue was generated by in-app purchases in March 2013 according to a report from Distimo and the situation is believed to be similar for the Android ecosystem. However, recent exploits of both Apple’s and Google’s payment systems have opened up the in-app purchase world to circumvention and piracy.
Since its launch in 2008, the iOS App Store has grown from just 500 third-party applications to an estimated 900,000 in June 2013. Google’s Play Store holds over 850,000 applications. Both ecosystems have helped fuel the downloading of many billions of apps, creating a lucrative revenue stream for developers of premium applications, despite the threat of piracy on both platforms. App piracy has been a concern of many developers since Apple opened up the iOS App Store to third-party developers in 2008. Both iOS and Android block installations of pirated applications by default but removing this restriction is often trivial: many iOS users choose to 'jailbreak' their devices and Android users simply have to uncheck a menu setting. Device owners can then install pirated apps through repositories systems such as Appcake for iOS or BlackMart Alpha for Android, damaging the revenue stream of such applications.
This threat is one reason why many developers moved away from paid apps towards a Freemium model of distribution. Rather than the purchase price providing sustenance to the developer, revenue is generated by encouraging users to purchase additional resources from within the app itself (in-game currency, additional play time, new equipment, additional features, and so on). Such purchases leverage the payment processing mechanisms of each operating system. These enable in-app purchases to operate smoothly and seamlessly and remove the need for each developer to operate a separate payment processing accounts system.
Developments that threaten these models must be taken seriously. Deficiencies in the payment system employed by both Apple’s app store and Google’s Play Store put the system of in-app purchases at risk and a number of techniques are already being exploited by phone and tablet users to steal premium content. The process on Android and iOS involves a different method of installations, but essentially results in the same outcome: free in-app purchases.
For Android, circumventing the in-app purchasing system is achieved through the download and installation of an application called ‘Freedom’. When run, the app displays a list of potentially hackable applications already present on the system.
Users launch the applications from this menu and Freedom takes control of the payment processing system within the app. Instead of the app sending a payment request through to Google Play as normal, Freedom redirects purchase traffic (by altering the settings on the device's network connections) to the Freedom application which spoofs authorisation of the requested payment through an auto generated and fictitious "FreeCard". In practice, this allows Freedom users to obtain premium content such as Eagle packs in Angry Birds (retail price $19.99) or to load celebrity voices such as Homer Simpson into GPS software Navman (retail price £2.99). Testing found that the number of in-app purchases that could be authorized within Freedom appeared to be unlimited. Only a small number of apps were located for which Freedom did not function.
Use of the Freedom app itself is relatively straightforward but users may find that the fact that the official Google Play store often becomes inaccessible after Freedom's installation to be a bother. The store must be completely reinstalled before any new application can be downloaded or legitimately purchased from it. While this may cause some annoyance to users of the Freedom app, it may be a trade-off many will be willing to make to gain access to so much free content.
In-appstore.com for iOS
In iOS, the process of circumvention is slightly more convoluted, requiring browser certificates be installed and DNS settings changed. The exploit does not require that the device is jailbroken to function and may be attractive to those users who do not want to void the warranty of their device via jailbreaking but wish to access pirated content.
Circumvention in iOS works via a method posted to the in-appstore.com web site. This claims to offer a single click solution for jailbroken phones using the Cydia repository but testing found this presently non-functional. The manual implementation of the hack on iOS redirects in-app purchase requests to a server at an address in the Netherlands which spoofs authorization in the same way as Freedom on Android.
However, the suite of applications that are vulnerable to the iOS exploit seems far smaller than for Android. While some common apps could be tricked into unlocking premium content, many games and apps seem to have implemented additional protections against exploitation. For example, testing found that Clash of Clans performs additional server side checks which block fraudulent transactions, while Navfree - open to exploitation on Android devices - successfully blocks fake transactions on iOS devices. Other methods of circumventing in-app purchasing on iOS (such as IAPFree) also suffered the same fate.
In-app purchase piracy has the potential to disrupt the mobile application market but it may be possible for developers to mitigate their risk. Current methods of exploitation require a certain level of technical skill for implementation, something that many users will find off-putting. Further, both iOS and Android circumventions also require users to trust systems exclusively designed to defraud mobile developers of income (either by routing network traffic to unknown servers in the case of iOS devices or granting full root access to an application of unknown provenance in the case of Freedom on Android). Also, using either of these methods to obtain premium content for free is a step along the moral continuum from an easier to justify decisions to, say, "try out" a cracked copy of a new app or game.
Yet with increasing numbers of devices in the hands of the young, many of whom will be tech savvy enough to handle the installation process without fear and perhaps carefree enough to not consider the moral or legal ramifications of their actions, the risk of these exploits could grow. The overlords of each operating system (both of which, of course, garner 30% on all in-app purchases) must continue to ensure a robust and trustworthy payment platform that can be relied upon by mobile developers. The breaches must be fixed at a system level with assurances that they will remain patched in the future. Apple has a better record at ensuring that security patches are well implemented than Google, with Android version fragmentation a major problem.
Written by Ricky Bruce, Piracy Intelligence Analyst, NetNames
27 September 2013
Article extracts from NetNames’ Scrutiny publication.
- Read more about NetNames Mobile App Protection here.
Scrutiny is a digital piracy intelligence and analysis subscription service offered to specialist NetNames clients in the digital piracy industry. To subscribe to this service, contact us here. Terms and conditions apply.