In this post, we will reverse an app using the StoreKit framework and bypass In-app purchases (IAP) features. This case’s quite special as the app will force the user to purchase the app as a free trial before allowing to use. It will auto-renew the monthly price plan if you forget to cancel before the renewal date. There will be no option on the screen to opt-out for IAP.
Figure: Hidden backdoor
In this post we will continue to enhance Medium tweak. We will learn how to create a preference bundle and hook into Settings.app to configure default claps. If you have not read part 1 yet, I suggest to have a look first before continuing.
Figure 1: Medium Tweak Preference
Today we will reverse engineering Medium iOS app and modify existing claps feature. We will also learn about how to create your own Cydia tweak using
theos platform, hook into a method, and change its behavior as we want to. Let’s do it!!!!
Figure: How to create your own Tweak
In this post, we will reverse engineering an app using StoreKit framework and bypass In-app purchase features. StoreKit is an iOS framework that supports in-app purchases and interactions with the App Store (rate and review app…). It leverages iOS developers to implement in-app purchases feature with ease. However, most developers just made it work without knowing the best practices, which created flaws for attackers to inspect and defeat In-app purchases feature easily, which means they can use the premium content of the app for FREE. Let’s do some reverse engineering and find out what are flaws and how to exploit them using LLDB.
Figure: StoreKit In-app Purchases flow (source: Medium)
Imagine that you want to inspect the app to see what’s information exchange between mobile app and server, you can think about using simple proxy tools to sniff requests and responses or more advanced techniques such as a reverse binary file to see what are endpoints, parameters and response payloads… To starting SSL Pinning bypass series, this post will introduce how to leverage LLDB tools to disable SSL pinning in iOS apps and reverse engineering process.
Figure: LLDB Attached
Today we will reverse engineering a react native iOS app and bypass in-app purchase to use locked features. Below is an example of purchase screen whenever tap on premium content.
Figure 1: Sample In-app purchases locked contents
In this post, we will reverse engineering and unlock in-app purchase contents by modifying local configuration on device. Below is an example of locked features and unlocked ones.
Figure 1: Sample In-app purchase locked contents
In this post I will share some steps to enable blocked or hidden features on iOS app using Burp Suite tool.
I will use EWA, a language learning app on AppStore to illustrate the whole process.
Figure 1: Burp Suite