How to protect in-app purchase from scrapers
Until recently, inApp Purchase was a fairly reliable mechanism for protection against hacking applications. If the developer wanted his application to not fall into the list of broken lines - he simply released it free with sales inside. The circuit worked. But after the appearance in Cydia 'iAP Cracker' - the situation has changed.
Under the cat described method, how can you legally get around these lohmalki.
I thought about protection inApp Purchase against hacking after seeing the statistics of my IQ pro application. It is built on a freemium model. In my statistics, I saw a huge number of sales - and in the statistics from Apple, the numbers were completely different (much less). Then I did not follow what lokomiki happen. But when, in a review, people started to write that “use 'iAP Cracker'”, everything became clear.
The protection method described below uses a mechanism that Apple recommends when selling, followed by checking and downloading data from your server. In fact, I transferred the test of the ticket from the remote server to the application itself.
MKStoreKit is used as a library for inApp Purchase.
Steps:
1. In MKStoreManager.h - we include #define SERVER_PRODUCT_MODEL 1
2. Original - (BOOL) verifyReceipt - replace with:
')
3. Add a JSON library to your project (http://code.google.com/p/json-framework)
4. Everything :-)
What's happening:
After receiving the receipt - it is sent again to the Apple server for verification, and by answer you can already determine everything you need.
PS The method does not claim to be the "best". If you, colleagues have comments and more ideas about this - write.
Under the cat described method, how can you legally get around these lohmalki.
I thought about protection inApp Purchase against hacking after seeing the statistics of my IQ pro application. It is built on a freemium model. In my statistics, I saw a huge number of sales - and in the statistics from Apple, the numbers were completely different (much less). Then I did not follow what lokomiki happen. But when, in a review, people started to write that “use 'iAP Cracker'”, everything became clear.
The protection method described below uses a mechanism that Apple recommends when selling, followed by checking and downloading data from your server. In fact, I transferred the test of the ticket from the remote server to the application itself.
MKStoreKit is used as a library for inApp Purchase.
Steps:
1. In MKStoreManager.h - we include #define SERVER_PRODUCT_MODEL 1
2. Original - (BOOL) verifyReceipt - replace with:
')
- (BOOL)verifyReceipt:(NSData*)receiptData { //NSString *urlsting = @"https://sandbox.itunes.apple.com/verifyReceipt"; NSString *urlsting = @"https://buy.itunes.apple.com/verifyReceipt"; NSURL *url = [NSURL URLWithString:urlsting]; NSMutableURLRequest *theRequest = [NSMutableURLRequest requestWithURL:url]; NSString *st = [receiptData base64EncodingWithLineLength:[receiptData length]]; NSString *json = [NSString stringWithFormat:@"{\"receipt-data\":\"%@\"}", st]; [theRequest setHTTPBody:[json dataUsingEncoding:NSUTF8StringEncoding]]; [theRequest setHTTPMethod:@"POST"]; [theRequest setValue:@"application/x-www-form-urlencoded" forHTTPHeaderField:@"Content-Type"]; NSString *length = [NSString stringWithFormat:@"%d", [json length]]; [theRequest setValue:length forHTTPHeaderField:@"Content-Length"]; NSHTTPURLResponse* urlResponse = nil; NSError *error = [[NSError alloc] init]; NSData *responseData = [NSURLConnection sendSynchronousRequest:theRequest returningResponse:&urlResponse error:&error]; NSString *responseString = [[NSString alloc] initWithData:responseData encoding:NSUTF8StringEncoding]; NSDictionary *dic = [responseString JSONValue]; NSInteger status = [[dic objectForKey:@"status"] intValue]; BOOL retVal = NO; if (status == 0) { retVal = YES; } return retVal; } 3. Add a JSON library to your project (http://code.google.com/p/json-framework)
4. Everything :-)
What's happening:
After receiving the receipt - it is sent again to the Apple server for verification, and by answer you can already determine everything you need.
PS The method does not claim to be the "best". If you, colleagues have comments and more ideas about this - write.
Source: https://habr.com/ru/post/143738/
All Articles