Yesterday morning, while testing iMazing 1.3’s new app backup/restore feature, we realised that quite a few popular apps contain severe weaknesses in their in-app purchase (IAP) handling code, resulting in vulnerabilities which can easily be exploited to manipulate IAPs.
For example, we tweaked Rovio’s Angry Birds 2 to easily allow starting the game with $10’000 worth of IAPs – see the 999’999’999 gems in the screenshot below.
$10’000 worth of gems in Rovio’s Angry Birds 2
These weaknesses could previously be exploited by editing and restoring an iOS backup containing the target app’s data, but a full restore can be time consuming, and iOS backups can hardly be shared among users. This is probably why these exploits aren’t public knowledge yet.
But our new app state backup/restore feature removes that friction: the app’s state can be exported as a .imazingapp file, which can be restored to any iOS 9 device in barely a minute.
We never intended to hack or facilitate hacking of IAPs. We developed iMazing’s app backup/restore primarily to enable:
We’ve only investigated a small number of apps. Considering the high percentage of apps that we found to be vulnerable, we strongly recommend that all developers review their IAP handling code.
Apps that we’ve tested fall in three categories:
The vulnerability is not in iOS, but in the affected applications’ IAP handling code. Purchased items should be stored in the keychain, or at least encrypted. The affected apps do neither, nor do they follow Apple’s recommendation to exclude purchased items from backups ( Apple IAP Guide )
Because we believe it’s only a matter of days before someone else figures it out, and because it’s the only way to alert all app developers of the issue.
We have been promising our users this feature for months, and were planning to release in time for iOS 9. We are already a full week late, and under pressure to release a fully iOS 9 compatible version of iMazing.
We have taken steps to prevent direct manipulation of iMazing’s exported app files (.imazingapp extension), but we cannot prevent modification of the backup from which app data is extracted.
Other similar software provide backup browsers with limited editing capabilities: removing this feature from iMazing would in any case not prevent tampering with application data.