Wednesday, July 18, 2012

Free in-app purchases... if you're prepared to hand over your iTunes credentials to Russian hackers...

There's nothing like a reminder that IT Security Is Difficult when examples emerge of companies with significant development resources falling victim to security holes. Such is the case with this exploit of iOS in-app purchases exposed a few days ago.

In this particular case, I don't think the consequences of the flaw will necessarily be so terrible. To implement it, you apparently need to install certificates, fiddle with DNS settings and hand over your iTunes account credentials to Russian hackers-- I suspect that at least one of these steps may be a hurdle for the average user of a platform generally chosen specifically by users who want to avoid this kind of hackery-pokery. But it serves as a wakeup nonetheless.

The wakeup call to Javamex readers is that the main programming flaw appears to have been a failure to adhere to a basic principle of secure connections: ensure that the server that you think you're talking to actually is the server that you're talking to!

LetterMeister 0.4b released

LetterMeister 0.4b, released at the beginning of this week, now includes in-game music.