Reputation: 3655
How to defend against IAP Cracker for "consumable" purchases?
I just learned about the existence of IAP Cracker and I'm trying to figure out the best way to validate IAP purchases in my app.
What I cannot find out is if IAP Cracker works with "consumable" purchases. If not, I have nothing to worry about.
Here's one take on safeguarding/validating all purchases.
http://www.binpress.com/app/inapp-purchase-verification/633#description
Thanks for any insights!
Upvotes: 1
Views: 2028
Answers (2)
Reputation: 280
I'd suggest having your remote server both communicate and store the data. So when you do your call via the client make sure to send the info to the remote server, the client then receives it's callback saying "yes purchase made it". Now when the user actually tries to use the purchase they must make a call to your remote server where it verifies whether or not the data coming in is actually available or not.
So say the user purchases "10 coins" your client sends the "I need validation" to your server, your server then sends it's message to apple and gets it's response (in this case lets say its a 'good to go' response). Your server then stores "10 coins" for user "*" in it's database and returns a "10 coins purchased" back to the client. The user then uses 10 coins to make a purchase in game which sends another message to your remote server, the remote server checks the db and sees if the user has the coins available and acts accordingly.
Reason this is safe: User has 0 coins and 'fakes' a message saying they want to buy your item and 'place' 60 coins in the message. When the remote server gets the message it checks the value used (60) against it's database and sees the user doesn't have 60 coins, it then fails the message.
So maintain all your data on the remote server and have the client do web calls to access what/how much the user has. This way the user can change there data on the client all they want but it doesn't matter because the remote server won't match with the data and will error out on their trickery.
Upvotes: 1
Reputation: 4075
I looked at that link you showed, but if I were you, I wouldn't trust that. That method could be easily bypassed by anybody who knows reverse engineering and development. Anybody could easily write a hack for that which automatically gives you the content for free.
I do not know of a secure way to validate in-app purchases because I haven't used them, but keep this in mind: no matter how secure you make it, a determined hacker will be able to bypass it.
Upvotes: 4
Related Questions
- Revenue Cat iOS - How do I validate purchases so that jailbroken iPhones can't crack the In App Purchase?
- how to prevent in-app purchase hacks in iOS 11? If any
- IAP cracks that seem to have valid receipts
- Attack Protection for iOS In-App Purchases
- Protecting in-app purchases from Freedom Hack
- How to prevent Android's in-app purchase items being cracked
- In app purchase for iOS / Android - Hack Prevention
- prevent fake in app purchase on jailbroken device
- Strategies for battling iOS in-app purchase piracy?
- Best practices to make your android app's in-app purchase process harder to break?