iOS in app purchase hack - current state of play?

garethW · December 18, 2012, 12:49pm

I have been searching forums etc. with respect to this and am confused as to where we now stand with this with respect to Corona.

Assuming I’m not validating on my own server is there a best practice code example somehwere or tutorial to explain what I should now be doing?

I have been using in app for a while based on some code cobbled together from examples and from very helpful posts by naomi but I don’t think there was any extra validation involved and I am wondering if there are additional steps I should have included?

If anyone can point me in the right direction I would really appreciate it. [import]uid: 51494 topic_id: 34119 reply_id: 334119[/import]

Ntero · December 18, 2012, 1:05pm

If you are talking about the device certificate-based hack from a few months back, then a third party validator (i.e. your server) is actually the only valid solution. The hack itself essentially reroutes ALL iap-based network requests that normally go to Apple’s servers to their own custom server. This means that any attempts to validate on that device are going to also hit said custom server, rendering it useless. The only valid solution is to have a third-party server that is required for your game to operate at all (so they can’t spoof that one too), and to send your receipt to that server, who then validates it with Apple (you can trust they didn’t mess with the DNS on your server). Otherwise you don’t have a trustworthy authority to determine whether the information is correct (client can’t tell what ‘correct’ would look like and spoofed Apple servers are going to be untrustworthy).

[import]uid: 134101 topic_id: 34119 reply_id: 135665[/import]

SegaBoy · December 19, 2012, 1:50am

Didn’t iOS 6 render this hack useless?

Seems like there’s a lot of articles back in July that point to the hacker admitting the game was over:

http://www.zdnet.com/hacker-on-apples-ios-in-app-purchase-fix-game-is-over-7000001409/

http://appleinsider.com/articles/12/07/23/in_app_hack_creator_admits_defeat_says_its_all_overfor_now

??? [import]uid: 33275 topic_id: 34119 reply_id: 135732[/import]

budershank · December 19, 2012, 10:21am

Supposedly it’s fixed, but if IAP is your revenue model it would make sense to still verify purchases with your own server.

I really think being able to use the upcoming Corona Cloud for IAP verification would be rather awesome. [import]uid: 147305 topic_id: 34119 reply_id: 135780[/import]

Ntero · December 18, 2012, 1:05pm

If you are talking about the device certificate-based hack from a few months back, then a third party validator (i.e. your server) is actually the only valid solution. The hack itself essentially reroutes ALL iap-based network requests that normally go to Apple’s servers to their own custom server. This means that any attempts to validate on that device are going to also hit said custom server, rendering it useless. The only valid solution is to have a third-party server that is required for your game to operate at all (so they can’t spoof that one too), and to send your receipt to that server, who then validates it with Apple (you can trust they didn’t mess with the DNS on your server). Otherwise you don’t have a trustworthy authority to determine whether the information is correct (client can’t tell what ‘correct’ would look like and spoofed Apple servers are going to be untrustworthy).