Borodin's method works by sending purchase attempts to third-party servers where they are validated and returned to the application as if the transaction was completed. The method requires the device to be on a wi-fi network and to have its DNS server settings altered, but does not require jailbreaking.
Borodin originally published the hack using the handle ZonD80.
In an attempt to block the method, Apple took the following steps:
- It blocked the IP address of the server used by Borodin to authenticate purchases.
- It issued a copyright claim on the YouTube demo video.
- It convinced the host of Borodin's original server, which was located in Russia, into dropping his service.
saying that his protocol has been modified to "include its own authorisation and transaction processes." His new method “can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled.”
In addition, in order to use the "service," users must now first sign out from their iTunes account. He said he did this so that “[the users] don’t scream to the Internet that I am stealing their credentials.”
It's a cat-and-mouse game and eventually the cat (Apple) will win, but for now the mouse is enjoying itself. In fact, after Apple took down the original demo video, Borodin put up a new one (embedded).