iap, local content unlocked, Basic Secruity?

ezraanderson1979 · April 3, 2012, 4:15pm

I don’t have access to NSUserDefaults, i was wonder what people thought about basic security for iap.

I know its better to spend your time on app development then securing an app, i am kind of looking for a basic 5 minute solution

I know how to verify the receipts of my server, i am not going to do this because this app has all the content built in.
challenge: Basic security for iap local content
i was going to use the something like this pseudo code:

  
function appUnlockedSave()   
  
 local appUnlocked = encrypt(UDID..'mySecret')  
  
 local wfilePath = system.pathForFile( 'appUnlocked' , system.DocumentsDirectory)   
  
 local wfh = io.open( wfilePath, "wb" )  
 wfh:write( appUnlocked )   
  
end  
  
function appUnlockedCheck()  
  
 local rfilePath = system.pathForFile( 'appUnlocked', system.DocumentsDirectory)  
   
 local rfh = io.open( rfilePath, "rb" )  
 local data = rfh:read( "\*a" )  
  
 if data == encrypt(UDID..'mySecret') then  
 gameIsUnlocked = true  
 end  
  
end

however because apple is rejecting apps accessing udid, and it doesn’t seam that i can get the mac address of devices.

any other ideas would be great to hear [import]uid: 89663 topic_id: 24358 reply_id: 324358[/import]

brad.herman · April 3, 2012, 6:04pm

I have been thinking about the same basic idea. My plan was to wait for Ansca to roll out openUDID, Mac address, or whatever solution they choose.

A possible downside is that you artificially restrict IAP beyond Apples terms. If they buy something on a legitimate itunes account it should be available on all their devices including new ones.

The restore purchase function has to work. [import]uid: 110373 topic_id: 24358 reply_id: 98397[/import]

toby2 · April 3, 2012, 8:23pm

I think you’re on the right track. You need something unique to the user yet deterministic, salted with your own password. That’s exactly what I’ve done in one of my apps to authenticate an unlock for some IAP content. The UDID in this case is the easy solution, but it’s on the outs.

What about the transaction identifier from the purchase? It should be unique to the user and deterministic since you can recover it in a restore operation. I may check that out as a UDID replacement.

[import]uid: 44647 topic_id: 24358 reply_id: 98415[/import]

PXL_artificer · April 3, 2012, 8:41pm

What about generating a semi-UDID code using system.getInfo “name” , “model” and “architectureInfo” ? not exactly unique, but it could be enough… [import]uid: 9158 topic_id: 24358 reply_id: 98417[/import]

ezraanderson1979 · April 3, 2012, 11:31pm

@toby2

"A possible downside is that you artificially restrict IAP beyond Apples terms. If they buy something on a legitimate itunes account it should be available on all their devices including new ones. "

never though about that. I will definitely do some testing with multiple devices when i have a solution.
@toby2

I think with the transaction id you would still need something unique to the device, on a jail-broken device they could just copy all the directories over. I will put more thought into it, because i think mixing something with receipt is a good idea.

@shedder

i think that’s a great idea quick and easy to do.
thanks all for the input

[import]uid: 89663 topic_id: 24358 reply_id: 98460[/import]

BPC_Games · April 10, 2012, 2:37am

The restore function could still be used, when apples servers say the user has bought the item, you can call appUnlockedSave().

Reading about Apples issue with UDID, it seems to me that Apple doesn’t want users to be tracked by companies between different apps, for privacy reasons. [import]uid: 127106 topic_id: 24358 reply_id: 99723[/import]