/ blog

Bypassing paywalls on iOS apps

I've considered not writing this blog post as I am not promoting piracy on this blog, but am merely are interested in the mechanics of bypassing paywalls or unlocking in-app purchases on iOS devices, hoping urging developers to improve their security. However, without giving an exact walkthrough for a specific apps I feel I can stay within the right side of the thin line.

Prerequisites

You will need a jailbroken iOS device.

Currently, the latest iOS 10.2.1 version is not jailbreakable. You an always check the Jailbreak Reddit for the latest news and updates.

The easy method

The easiest method is installing a Cydia tweak that sends fake receipts to apps when you are attempting a purchase. This method will only work for certain apps that have a flaw in their purchasing process (e.g. only having a client-side check of the purchase instead of a server-side validation). Examples of such tweaks to unlock in-app purchases are LocaliAPStore, iAPFree, iAP Cracker and iAPCrazy. However, this method will not work for all apps, so you might need to experiment with other methods.

Override values with Flex 3

First, purchase ($ 4) and install Flex 3 on your jailbroken device. Flex 3 allows you to override values of iOS apps installed on your device, making it possible to to very interesting things such as removing advertising from apps, remove jailbreak detection, and much more.

You can either create your own tweaks or find them in the cloud library. Piracy tweaks are not allowed anymore.

However, if you wish to bypass paywalls on certain apps, let's say a newspaper, you can create a weak yourself. Let's go:

By example, we were able to fake a subscription with an major newspaper to download the newspaper for free.

First, we selected one of our installed apps, choose Add Units... and searched for "bool subscription". Bingo, we found a few variables named hasValidAppleSubscription, hasValidPrintSubscription, etc.

By overriding the boolean value of these variables with TRUE, the app will recognize you as an user with a valid newspaper subscription and will download your daily newspaper.

If the app is suddenly crashing, you may need to disable some jailbreak checks by overriding these as FALSE as shown in the screenshots below. The variables you need to change may vary from app to app and it takes some trial and error, but usually you find the best results with overriding variables found with following searches:

  • bool subscription
  • bool subscrib
  • bool premium
  • bool useris
  • bool jailbroken
  • bool jailbreak
  • bool update

Some newspapers tried to fix this in a new update. However, by disabling an update check or requirement, you can keep bypassing the paywall with older software versions. To fix this problem, subscriptions or purchases should be validated server-side before downloading premium content.

I'm not an iOS developer and thus don't know the exact specifics on iOS programming, but I would like to know if it's possible to scramble code at client side so it would be impossible make sense of the values to override.