I have just found that there is software which enables pirating (cracking) the in-app purchase on iOS.
Did you guys know it ?
What can be done ?
Regards,
Damir. [import]uid: 108334 topic_id: 30371 reply_id: 330371[/import]
I would like to know that as well.
I have an app where i log every purchase on an external server.
It is a simple “ping” to my server for every time the transaction complete callback is called.
I log if its a purchase or a restore event.
In my server log, i can see ~60 purchases every day, but itunes connect reports only ~10
That means ~50 purchases is made without payment every day.
It blows my mind, that so many should be hacking the in-apps, but what is your experience ?
In my log I can´t see the difference between a buy and a free re-buy, but i cant believe so many should be re-buying all the time.
/Tommy
[import]uid: 128204 topic_id: 30371 reply_id: 121654[/import]
What about using the RESTORE to verify the purchase ?
I wanted to implement it but then read somewhere here that this is not allowed.
Today I found this link
In-App Purchase Receipt Validation on iOS
If I understood it right, Apple is suggesting using the RESTORE to verify purchase.
Thoughts ?
[import]uid: 108334 topic_id: 30371 reply_id: 121655[/import]
"If your app connects to the App Store server directly from the device, your app may be affected by this vulnerability. You can address this vulnerability as follows:
Check that the SSL certificate used to connect to the App Store server is an EV certificate.
Check that the information returned from validation matches the information in the SKPayment object.
Check that the receipt has a valid signature.
Check that new transactions have a unique transaction ID."
how can we do that in corona? [import]uid: 90610 topic_id: 30371 reply_id: 121707[/import]
You can get various pieces of information from the event.transaction.
event.transaction.receipt and
event.transaction.originalReceipt
I think are JSON blobs that contain a bunch of information Apple considers relevant for verifying receipts.
However, to really make all this truly work securely, you need to have your own 3rd party server to cross-reference and verify purchases. And with a 3rd party server, you can also host and do downloads on-demand so people with jailbroken phones can’t circumvent your measures.
Apple diagrams the set up you need here:
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/APIOverview/OverviewoftheStoreKitAPI.html#//apple_ref/doc/uid/TP40008267-CH100-SW14
This is not a trivial task and requires server setup which is outside the scope of Corona.
[import]uid: 7563 topic_id: 30371 reply_id: 121813[/import]
on the other hand, we simply could ignore it. i mean those who jailbreak or install that iAP crack will probably never spend real money anyway.
and, as far as i know, iOS6 should fix the issue? [import]uid: 90610 topic_id: 30371 reply_id: 121814[/import]
I would like to know that as well.
I have an app where i log every purchase on an external server.
It is a simple “ping” to my server for every time the transaction complete callback is called.
I log if its a purchase or a restore event.
In my server log, i can see ~60 purchases every day, but itunes connect reports only ~10
That means ~50 purchases is made without payment every day.
It blows my mind, that so many should be hacking the in-apps, but what is your experience ?
In my log I can´t see the difference between a buy and a free re-buy, but i cant believe so many should be re-buying all the time.
/Tommy
[import]uid: 128204 topic_id: 30371 reply_id: 121654[/import]
What about using the RESTORE to verify the purchase ?
I wanted to implement it but then read somewhere here that this is not allowed.
Today I found this link
In-App Purchase Receipt Validation on iOS
If I understood it right, Apple is suggesting using the RESTORE to verify purchase.
Thoughts ?
[import]uid: 108334 topic_id: 30371 reply_id: 121655[/import]
Has anyone implemented any kind of anti-piracy in their code ?
[import]uid: 108334 topic_id: 30371 reply_id: 122298[/import]
"If your app connects to the App Store server directly from the device, your app may be affected by this vulnerability. You can address this vulnerability as follows:
Check that the SSL certificate used to connect to the App Store server is an EV certificate.
Check that the information returned from validation matches the information in the SKPayment object.
Check that the receipt has a valid signature.
Check that new transactions have a unique transaction ID."
how can we do that in corona? [import]uid: 90610 topic_id: 30371 reply_id: 121707[/import]
You can get various pieces of information from the event.transaction.
event.transaction.receipt and
event.transaction.originalReceipt
I think are JSON blobs that contain a bunch of information Apple considers relevant for verifying receipts.
However, to really make all this truly work securely, you need to have your own 3rd party server to cross-reference and verify purchases. And with a 3rd party server, you can also host and do downloads on-demand so people with jailbroken phones can’t circumvent your measures.
Apple diagrams the set up you need here:
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/APIOverview/OverviewoftheStoreKitAPI.html#//apple_ref/doc/uid/TP40008267-CH100-SW14
This is not a trivial task and requires server setup which is outside the scope of Corona.
[import]uid: 7563 topic_id: 30371 reply_id: 121813[/import]
on the other hand, we simply could ignore it. i mean those who jailbreak or install that iAP crack will probably never spend real money anyway.
and, as far as i know, iOS6 should fix the issue? [import]uid: 90610 topic_id: 30371 reply_id: 121814[/import]
Has anyone implemented any kind of anti-piracy in their code ?
[import]uid: 108334 topic_id: 30371 reply_id: 122298[/import]
I am surprised how little interest is shown here about this subject!
Anyway, I have managed to create the verify.php on my server which handles the verify process.
Everything works except that I always get “Invalid receipt” exception from Apple.
I have browsed the net and I am suspecting the base64 encoding is the problem.
I have tried 4 different “kinds” of base64:
a) the PHP one
b) the one in sockets library
c) two I found here made by Corona members
No luck 
Does anyone know which base64 encoding should be used that matches the one used by Apple ?
(There is a solution in XCode, but for now I would like to avoid rewriting it from XCode to Lua).
Regards,
Damir. [import]uid: 108334 topic_id: 30371 reply_id: 123011[/import]
I agree piracy is huge issue and probably impossible to prevent. I think you can only attempt to “make it harder” to hack. Most of us probably won’t develop an app that a Hacker would take the time to target for a time consuming code level hack. I believe if you use the IAP server verification you will deter most “universal” cracks/hacks out there. It is also possible to take the IAP verification further by storing information from the receipt and verifying it against new IAP’s. If it matches, the hack is using the same receipt over again.
I was able to use Satheesh’s IAP code with the base 64 included in the github download.to get the IAP verification to work. If you haven’t, download the github and take a look there. The php code doesn’t work as is, there is, or at least used to be an echo $hex statement towards the top of the php that needs to be commented out or removed, then it works. Took me awhile to figure out what the problem was as I knew “0” php at the time and still don’t know much.
Validation of Auto-Renewable In-app purchases
Hope this helps,
Nail
[import]uid: 106779 topic_id: 30371 reply_id: 123051[/import]
Just read about the article. Seems like it’s an exploit on the Apple’s server side in which no matter how we developed our games we’re just as vulnerable. Pretty scary but sounded like it was fixed pretty quickly. [import]uid: 159488 topic_id: 30371 reply_id: 123070[/import]
I am surprised how little interest is shown here about this subject!
Anyway, I have managed to create the verify.php on my server which handles the verify process.
Everything works except that I always get “Invalid receipt” exception from Apple.
I have browsed the net and I am suspecting the base64 encoding is the problem.
I have tried 4 different “kinds” of base64:
a) the PHP one
b) the one in sockets library
c) two I found here made by Corona members
No luck
Does anyone know which base64 encoding should be used that matches the one used by Apple ?
(There is a solution in XCode, but for now I would like to avoid rewriting it from XCode to Lua).
Regards,
Damir. [import]uid: 108334 topic_id: 30371 reply_id: 123011[/import]
I agree piracy is huge issue and probably impossible to prevent. I think you can only attempt to “make it harder” to hack. Most of us probably won’t develop an app that a Hacker would take the time to target for a time consuming code level hack. I believe if you use the IAP server verification you will deter most “universal” cracks/hacks out there. It is also possible to take the IAP verification further by storing information from the receipt and verifying it against new IAP’s. If it matches, the hack is using the same receipt over again.
I was able to use Satheesh’s IAP code with the base 64 included in the github download.to get the IAP verification to work. If you haven’t, download the github and take a look there. The php code doesn’t work as is, there is, or at least used to be an echo $hex statement towards the top of the php that needs to be commented out or removed, then it works. Took me awhile to figure out what the problem was as I knew “0” php at the time and still don’t know much.
Validation of Auto-Renewable In-app purchases
Hope this helps,
Nail
[import]uid: 106779 topic_id: 30371 reply_id: 123051[/import]
Just read about the article. Seems like it’s an exploit on the Apple’s server side in which no matter how we developed our games we’re just as vulnerable. Pretty scary but sounded like it was fixed pretty quickly. [import]uid: 159488 topic_id: 30371 reply_id: 123070[/import]
OK, I managed to get the proper receipt.
Now the problem is there is no store.rollback (or something similar).
Why do I need this ?
If the user uses the crack method, the transaction.event is still “purchased”
if event.transaction.state == "purchased" then
verifyPurchase(event.transaction.receipt) but the verifyPurchase detects it is a crack and returns false.
At this moment I would need to call store.rollback.
Now the transaction stays open (I can’t call store.finishTransaction because that would validate the purchase) which causes problems because next time the user visits the store I get the message “The item is already purchased but hasn’t been downloaded” (or somethig similar).
How did you manage this scenario ?
How to rollback the purchase ?
Regards,
Damir. [import]uid: 108334 topic_id: 30371 reply_id: 124137[/import]