Apple has plugged a gap in security that allowed a Russian hacker, Alexey Borodin, to hijack in app purchases on the app store.
Apple has addressed the problem by publishing a "best practices" paper, in which the company makes the unusual move of encouraging use of a private API.
"[The] game is over," said Borodin. "Currently we have no way to bypass updated APIs."
"It's good news for everyone; we have updated security in iOS, developers have their air-money."
The hack consisted of configuration changes and fake certification files that routed purchases through a hoax server, allowing a user to gain access to digital goods for free.
There have already been tens of thousands of illicit downloads, and the cost to developers can only be guessed at.
But the Russian security revolutionary is not finished yet and, according to Gamasutra, plans to take his campaign to the Mac App store.
Borodin released a similar exploit for the Mac on friday, again allowing users to bypass in app purchases and loot digital goods.
Apple has not yet released a fix, and Borodin has implied that this time, he is ready for Apple's rebuttal.