How do you secure your iAPs from froud

Hi, 

How do you secure your iAPs from froud? Is there any solution for Corona? Need an advice 

Thanks

In theory, each purchase includes a receipt. You can store that receipt on your own server and use it to look up purchases and see if they have been made before. On Android, they have a licensing feature that you can use that helps detected hacked apps.

Fighting fraud is one of those tasks that has no answer. If a hacker really wants to cheat you, they will find a way. I found this article with a Google search from GameAnalytics which talks about the problem and links to a tutorial on using server-based verification on purchases:  https://gameanalytics.com/blog/how-to-detect-and-prevent-in-app-purchase-hacks.html

Rob

In the games I use GameSparks, I use their validation “BuyGoodRequest” request. Very easy to send the request and this is what their documentation says:

Processes a transaction receipt from an App Store in app purchase.

The GameSparks platform will validate the receipt with Apple and process the response. The transaction_id in the response will be recorded and the request will be rejected if the transaction_id has previously been processed, this prevents replay attacks.

Once verified, the players account will be credited with the Virtual Good, or Virtual Currency the purchase contains.

So very similar to what Rob said. They also have the same API for Google and other providers.

Hi agramonte, thanks for advice 

1. I got “verificationError 1 No matching virtual good can be found”. Any thoughts?

code:

function transactionCallback( event ) if event.transaction.state == "purchased" then sendToSparks(event.transaction) return true end finishTransaction( event.transaction ) end function sendToSparks(transaction) local receipt = transaction.receipt local signature = transaction.signature local requestBuilder = gs.getRequestBuilder() local accountInfoRequest = requestBuilder.createGooglePlayBuyGoodsRequest() accountInfoRequest:setSignature(signature) --“INAPP\_DATA\_SIGNATURE” accountInfoRequest:setSignedData(receipt) --“INAPP\_PURCHASE\_DATA” accountInfoRequest:send(function(response) if response:hasErrors() then for key,value in pairs(response:getErrors()) do print( tostring(key).." = ".. tostring(value)) -- verificationError = 1 end -- else --Give some to user store.finishTransaction( transaction ) end end) end

2. How do you understand “setUniqueTransactionByPlayer” parameter in ios/google buygoodsrequest:

Support says:

setUniqueTransactionByPlayer means that if set to true once the receipt has been validated it can no longer be used.

if set to false it can be validated more then once by different players if they managed to get access to a valid receipt

I can’t understand what should I set. Since I can’t get the reason what for this option exists to let different player use same receipt, does’t it ruin detection ?

I think for non-consumable items they should be a way to validate the receipt again. I don’t allow that option because I use Gamespark for authentication once they get an item it is stored in Gamesparks and I don’t have any non-consumable you can buy directly from the store. You can buy a currency that you can use to buy things in Gamespark.

Did you add the virtual goods to Gamesparks? I would open up a ticket with Gamespakrs, they usually answer sort of quickly.

Just don’t bother… let them hack…

I ban all users that purchase my top IAP (which is a kinda honeypot).

++, missed the goods. Works now, thanks again

So fun if true 

In theory, each purchase includes a receipt. You can store that receipt on your own server and use it to look up purchases and see if they have been made before. On Android, they have a licensing feature that you can use that helps detected hacked apps.

Fighting fraud is one of those tasks that has no answer. If a hacker really wants to cheat you, they will find a way. I found this article with a Google search from GameAnalytics which talks about the problem and links to a tutorial on using server-based verification on purchases:  https://gameanalytics.com/blog/how-to-detect-and-prevent-in-app-purchase-hacks.html

Rob

In the games I use GameSparks, I use their validation “BuyGoodRequest” request. Very easy to send the request and this is what their documentation says:

Processes a transaction receipt from an App Store in app purchase.

The GameSparks platform will validate the receipt with Apple and process the response. The transaction_id in the response will be recorded and the request will be rejected if the transaction_id has previously been processed, this prevents replay attacks.

Once verified, the players account will be credited with the Virtual Good, or Virtual Currency the purchase contains.

So very similar to what Rob said. They also have the same API for Google and other providers.

Hi agramonte, thanks for advice 

1. I got “verificationError 1 No matching virtual good can be found”. Any thoughts?

code:

function transactionCallback( event ) if event.transaction.state == "purchased" then sendToSparks(event.transaction) return true end finishTransaction( event.transaction ) end function sendToSparks(transaction) local receipt = transaction.receipt local signature = transaction.signature local requestBuilder = gs.getRequestBuilder() local accountInfoRequest = requestBuilder.createGooglePlayBuyGoodsRequest() accountInfoRequest:setSignature(signature) --“INAPP\_DATA\_SIGNATURE” accountInfoRequest:setSignedData(receipt) --“INAPP\_PURCHASE\_DATA” accountInfoRequest:send(function(response) if response:hasErrors() then for key,value in pairs(response:getErrors()) do print( tostring(key).." = ".. tostring(value)) -- verificationError = 1 end -- else --Give some to user store.finishTransaction( transaction ) end end) end

2. How do you understand “setUniqueTransactionByPlayer” parameter in ios/google buygoodsrequest:

Support says:

setUniqueTransactionByPlayer means that if set to true once the receipt has been validated it can no longer be used.

if set to false it can be validated more then once by different players if they managed to get access to a valid receipt

I can’t understand what should I set. Since I can’t get the reason what for this option exists to let different player use same receipt, does’t it ruin detection ?

I think for non-consumable items they should be a way to validate the receipt again. I don’t allow that option because I use Gamespark for authentication once they get an item it is stored in Gamesparks and I don’t have any non-consumable you can buy directly from the store. You can buy a currency that you can use to buy things in Gamespark.

Did you add the virtual goods to Gamesparks? I would open up a ticket with Gamespakrs, they usually answer sort of quickly.

Just don’t bother… let them hack…

I ban all users that purchase my top IAP (which is a kinda honeypot).

++, missed the goods. Works now, thanks again

So fun if true