How Sally Got Owned: An Illustrated Example of How Piracy Can Endanger Your Mobile Device
Posted by Melissa Elliott in RESEARCH, July 19, 2012 | Comments (0)
Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but there was a lot of confusion about how it could possibly work and whether it was safe.
The particular person who published the instructions added a note to remember not to type in your real username and password when prompted, which should be a big hint that while he was not looking to harvest the passwords, they were all being sent to his fake App Store server. Anyone could set up an alternate server – especially if his is blocked by law enforcement – and conveniently “forget” to mention that whatever username and password you type in will be sent to them. Even with the warning, many people admitted to using their real username and password with the pirate server, because they did not realize they were giving it away to a stranger.
Let’s be clear: the existing fake iOS in-app purchase server has not yet been caught being malicious, but the techniques it uses to enable piracy are dangerously insecure. This is a story about exactly how it can go wrong.
There is a full transcript after the images for screen readers.
Read the original article at the Vara Code Blog