Getting in-app purchase scammers

I created an app and I have been scammed out of a lot of digital goods "coins" in the first 3 days. Talking to my support of fulfimment they have said:


"If you do not verify the purchases in your server with apple prior to adding coins its 100% easy to hack the app and get coins"


So my question is: How do I ensure that my in app purchases are verified with Apple or my server before awarding the coins to the user?? I assumed they were verified with Apple when I set up the In App purchases with them but they obviously aren't beause these people are getting as many coins as they want which has already costs me over $200 in losses.


Someone please let me know how to not award digital coins or 'goods' before the purchse is authenticated and legit with Apple. This is my first app and I had no idea people could scam in app purchases.

Replies

Unfortunately, this is not a simple task, depending on how rigorous and tamper proof you want your validation to be.


Here is the documentation for validating app purchase receipts to determine if the In App Purchase is genuine, which should get you started:


https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html

Thanks, the problem was repricated by a source and this is what they found:

No all you have to do is jailbreak the phone and get free in app purchases plug in and then you can get anything free that's not server verified before adding the purchase to the user account.

My question is: Does EVERY APP Devloper learn this the hard way like I am?! And WHY isn't every In App purchase Server verified by Apple? Why do I have to go out of my way to solve this problem, this should be standard from Apple.

There are a few things you can do to make it more diffciult to crack.


First, in updatedTransactions you can verify that the purchase has the correct productIdentifier. This requires that the cracker send an app-specific transaction into your paymentQueue:updatedTransactions: method.


Second, you can verify the receipt using one of the fiollowing techniques:

a) on board decoding using OpenSSL (too hard for me)

b) send the receipt to your server and have your server send it to the Apple servers for verifictaion

c) send the receipt from the app to the Apple servers for verification. This is 'easy' to do but can be cracked using a complex 'man-in-the-middle' hack.

Thanks --


All in all I just can't believe what a piece of **** Apple really is. Thousands upon Thousands of apps are getting scammed out of Digital goods every day (which is a direct correlation to real money to us and several others) and their response is just "go figure it out yourself, here is some documentation'. This is like PayPal not securing their transfers and you being able to buy things online and get free eCommerce. For this big of a company to just 'let developers' figure out how to secure their apps makes me lose so much respect for them. *** you apple.

I think the problem aren't Apple in this case.


From one of your own post:

No all you have to do is jailbreak the phone and get free in app purchases
plug in and then you can get anything free
that's not server verified before adding the purchase to the user account.


If a phone are jailbroken, you can request on a app the purchase. Now, in Jailbreak, you have installed an app who when request a purchase, they doesn't send it to Apple, and send to your app an OK.


I understand the problem here are the Jailbreak itself. Apple try to avoid it, but, there's a lot of people who try to mantain it.


There's a lot of people who are scammed every day because Jailbreak, in form of downloads of the app without payment, or in-app purchases without payment. At first case, you cannot verify, because, if an app doesn't need a server for work, these app can open and work correctly even if it's downloaded from ***** repository.


Also, i doesn't know how you can verify the app purchase itself, I think these are more difficult who verifying an in-app purchase.


But, at the end, these are your problem and the most important thing for your business. If you have a online store, you didn't send the product until you verify payment. On a phisical store, you cannot go out with your purchase if you don't go to cash and pay for them. That's the same. You need to verify the user have a good proof of purchase before getting the cash, and, also, you need to mantain a list of receipts ID on your side, because, if you doesn't have it, some player can try to redeem the same ticket lot of times.


Apple can do it better, but, the real problem, as I've said before, are the jailbreak. These are killing developers, not Apple.

Actually jailbreaking alone won't work if you simply check a few simple things.


1) always check the productIdentifier - very easy to do.

2) take the time to verify the receipt with Apple Servers, it's very hard to get around that

3) use your own server to verify the receipt - this is certain protection

4) figure out how to decode the receipt on the device


And remember, very few of these thefts are actually lost sales. Users with jailbroken phones don't pay for IAPs. So all you are 'out' is the cost of providing the IAP to such users and that is usually $0.

Apple design wrong iap system.


The verify URL (apple offer) should return a serect string ( that only our app know how to decode it to check ), not only just return Yes/No ( 0, 21000,21002... etc)


Let our app and appStore system have the same key.

So our app can just verify Secret Hash value from appStore after finish iap pay.

See... It's easy

I agree and have suggested this over and over again.

But appeals on this forum go only to other developers.

Join me and submit an enhancement request to <https://developer.apple.com/bug-reporting>.


By the way, after much work I managed to find a build of OpenSSL (I was unable to build my own) and I decoded the onboard receipt (see: https://forums.developer.apple.com/thread/18670 ) The onboard receipt uses a hash of the identifierForVendor as a shared secret.