IOS in-app purchase protection against crackers using a server
Today I’ll talk about how to protect in-app purchases in games on the iOS mobile platform using your own server. Almost all companies that release their product care about the security of their applications and try as much as possible to protect them from hacking. One of these companies is the one in which I work.
At the moment, in the territory of Spain passes soft game of our game. I myself am a server-side developer and the in-app purchases check in the game that our company was developing fell on my shoulder as a programmer.
All purchases in the game are confirmed by my server. It happens as follows. A user buys our currency in the game, then json with all the purchase data comes to the smartphone from apple purchase server. After that, this json gets to our server, some fields are checked and sent to apple verefication server to see if everything is fine. If everything is in order, then json comes from apple in which there is a lot of information about the purchase. According to the documentation on the Apple website, we only need to check the status field from the json sent to us. If it is 0, then the purchase is true and we charge the user our currency. I did not invent anything new and followed this documentation.
During the soft game, statistics showed us that one of the users bought our currency in the game for $ 400. However, we were not very happy about this, because we saw that these purchases were from a jailbreak smartphone. Having looked at all the data that the user’s device sent to us on the server, we found that they are the same. Having searched a bit on the Internet, we came across such a thing as LocallAPStore Cydia Tweak in jailbreak iOS. It works as follows. When the user makes an in-app purchase in the game, then LocallAPStore intercepts the data and replaces it with his own, and returns to the game callback that the purchase has been completed, and then it comes to our server, goes to Apple. We come from apple verefication server response status 0.
Therefore, in order to prevent this, first of all, check the original_transaction_id field, it is unique, if you find the same value for this field in your database, this is a fraud. But this is sometimes not enough. For a full check, after you receive a response json from apple verefication server, you should check the bid field with your bundle id and check the product_id field.
I hope you find this information helpful. I look forward to hearing from you comments, suggestions and comments.
At the moment, in the territory of Spain passes soft game of our game. I myself am a server-side developer and the in-app purchases check in the game that our company was developing fell on my shoulder as a programmer.
All purchases in the game are confirmed by my server. It happens as follows. A user buys our currency in the game, then json with all the purchase data comes to the smartphone from apple purchase server. After that, this json gets to our server, some fields are checked and sent to apple verefication server to see if everything is fine. If everything is in order, then json comes from apple in which there is a lot of information about the purchase. According to the documentation on the Apple website, we only need to check the status field from the json sent to us. If it is 0, then the purchase is true and we charge the user our currency. I did not invent anything new and followed this documentation.
During the soft game, statistics showed us that one of the users bought our currency in the game for $ 400. However, we were not very happy about this, because we saw that these purchases were from a jailbreak smartphone. Having looked at all the data that the user’s device sent to us on the server, we found that they are the same. Having searched a bit on the Internet, we came across such a thing as LocallAPStore Cydia Tweak in jailbreak iOS. It works as follows. When the user makes an in-app purchase in the game, then LocallAPStore intercepts the data and replaces it with his own, and returns to the game callback that the purchase has been completed, and then it comes to our server, goes to Apple. We come from apple verefication server response status 0.
Therefore, in order to prevent this, first of all, check the original_transaction_id field, it is unique, if you find the same value for this field in your database, this is a fraud. But this is sometimes not enough. For a full check, after you receive a response json from apple verefication server, you should check the bid field with your bundle id and check the product_id field.
I hope you find this information helpful. I look forward to hearing from you comments, suggestions and comments.