Protection in-App Purchase iOS from the server with the help of the server
Today I will talk about how to protect in-app purchases in games on the iOS mobile platform using your own server. Almost all the companies that produce their product, care about the security of their applications and as much as possible trying to protect them from hacking. One of these companies is the one in which I work.
At the moment in the territory of Spain our softlanch is playing. I myself server-side developer and on my shoulder of the programmer I went to check in-app purchases in the game that our company developed.
All purchases in the game are confirmed by my server. It happens as follows. The user buys our currency in the game, then on the smartphone from the apple purchase server comes json with all the purchase data. After that, this json gets already on our server, some fields are checked and sent to the apple verefication server to see if everything is all right. If everything is in order, then json comes from the apple in which there is a lot of information about the purchase. According to the documentation on the Apple website, we only need to check the status field from the json sent to us. If it is 0, then the purchase is true and we charge the user our currency. I did not invent anything new and followed this documentation.
Over the course of softlanch, statistics showed us that one of the users bought our currency in the game for $ 400. However, we were not very happy about this, because we saw that these purchases were from the jailbreak smartphone. After looking at all the data that the user device sent us to the server, we found that they are the same. A little searching on the Internet, we came across such a thing as LocallAPStore Cydia Tweak in jailbreak iOS. It works as follows. When the user makes an in-app purchase in the game, LocallAPStore intercepts the data and replaces it with its own, and returns the callback to the game that the purchase is completed, and then it comes to our server and goes to Apple. We come from an apple verefication server response status 0.
')
Therefore, in order to prevent this, first of all check the field original_transaction_id, it is unique, if you find the identical value of this field in your database - then it is fraud. But this is sometimes not enough. For a complete check, after you receive a response json from the apple verefication server, you should check the bid field with your bundle id, and also check the product_id field.
I hope you find this information helpful. Waiting for your comments, suggestions and comments.
At the moment in the territory of Spain our softlanch is playing. I myself server-side developer and on my shoulder of the programmer I went to check in-app purchases in the game that our company developed.
All purchases in the game are confirmed by my server. It happens as follows. The user buys our currency in the game, then on the smartphone from the apple purchase server comes json with all the purchase data. After that, this json gets already on our server, some fields are checked and sent to the apple verefication server to see if everything is all right. If everything is in order, then json comes from the apple in which there is a lot of information about the purchase. According to the documentation on the Apple website, we only need to check the status field from the json sent to us. If it is 0, then the purchase is true and we charge the user our currency. I did not invent anything new and followed this documentation.
Over the course of softlanch, statistics showed us that one of the users bought our currency in the game for $ 400. However, we were not very happy about this, because we saw that these purchases were from the jailbreak smartphone. After looking at all the data that the user device sent us to the server, we found that they are the same. A little searching on the Internet, we came across such a thing as LocallAPStore Cydia Tweak in jailbreak iOS. It works as follows. When the user makes an in-app purchase in the game, LocallAPStore intercepts the data and replaces it with its own, and returns the callback to the game that the purchase is completed, and then it comes to our server and goes to Apple. We come from an apple verefication server response status 0.
')
Therefore, in order to prevent this, first of all check the field original_transaction_id, it is unique, if you find the identical value of this field in your database - then it is fraud. But this is sometimes not enough. For a complete check, after you receive a response json from the apple verefication server, you should check the bid field with your bundle id, and also check the product_id field.
I hope you find this information helpful. Waiting for your comments, suggestions and comments.
Source: https://habr.com/ru/post/270073/
All Articles