Storing IAP status in JSON file

I saw a comment in the comments section of Rob’s IAP tutorial (https://coronalabs.com/blog/2013/09/03/tutorial-understanding-in-app-purchases/) that raised a red flag with me.   It basically said not to store the IAP status in a JSON file since it could be easily hacked.

For instance, if I store a boolean called FullVersion in my JSON settings, some unscrupulous user could discover this and publish this knowledge, allowing users of the limited version to simply edit this file to enable the full version.

Sounds reasonable.   How do people get around this?   Name the flag something nebulous?   Not use JSON to store this setting?   

Aside:  IAP is easily fat-fingered to IPA, which always makes me thirsty…

I implemented this system also. You can’t access the json file from iTunes if you have the UIFileSharing = false (i think that is what the flag is called). 

I’m sure it could still be hacked somehow, but 90% of people aren’t going to have the skills to do this. AFAIK the percentage of people running jailbroken devices is in the minority. (I could be wrong)

Some people have also encrypted their json files I believe. I saw some forum threads on this topic (I don’t have any links to hand i’m afraid)

Thanks, I’ll look for that flag.   I just created a variable that takes different values and would likely appear unrelated to any kind of IAP.   

I’m probably worrying too much.   

Heck, I’d kill for downloads, pirated or not.  :-)

On iOS the folder where your settings are saved are not visible outside the app.  If you turn that on, then you could get to it from iTunes, but as long as you leave it out of your build.settings, casual viewers won’t be able to mess with it.  You have to have a jailbroken phone on iOS for people to do this.  I’m not that worried about iOS as much as I am Android.  Way more people **root** their Android devices increasing the probability that they could go poking around. 

There are techniques that you can use, like come up with a pass phrase and run it through an MD5 hash routine that will spit out a long hex number.  If you’re on a Mac this is easy to do, if not there should be a website that will generate the MD5 hash for you.  Create a phrase, in my instance I’m going to use the phrase “fred&barney”.  From the terminal on your Mac do:

echo “fred&barney” | md5

It will output:

35f12d715b663fab1e30ddfd7b29d00d

You can then store that in your json file and give it an obscure key, i.e.  if you have a table called settings that holds your settings do:

settings.plugh = “35f12d715b663fab1e30ddfd7b29d00d”

Then in your app, check to see if settings.plugh matches “35f12d715b663fab1e30ddfd7b29d00d” and you’ve made it not so obvious that this is your free vs. paid key.  If they try and hack the value, it most likely won’t match.   You can add in a bunch of other random keys and MD5 strings to obscure things even more.

But this is only going to stop the casual person.  A good hacker will look at the file, pay for it, see the difference and then publish the difference for their friends to use.  So this is by no means fool proof.  The recommended way is to store the receipt you get back from IAP on a remote server and then check your saved version of the receipt with the server hosted version and if they match, then unlock things.  But this of course only works if you have connectivity. 

Rob

My settings file has a lot of keys.  I simply added another with a seemingly normal name and if it’s set to one of a disparate set of values, it’s unlocked, otherwise locked.    i.e., it’s not a boolean.   

You’re right about Android, but the way I look at it is if someone was never going to pay for it, I’d rather him steal it and at least do some free marketing for me than never run it at all.   Not that I want to make it easy to steal, but I don’t want to build an overly complex security mechanism that may end up biting paying customers.

BTW, I also added UIFileSystem = false in my iPhone->plist key in build.settings.   

I implemented this system also. You can’t access the json file from iTunes if you have the UIFileSharing = false (i think that is what the flag is called). 

I’m sure it could still be hacked somehow, but 90% of people aren’t going to have the skills to do this. AFAIK the percentage of people running jailbroken devices is in the minority. (I could be wrong)

Some people have also encrypted their json files I believe. I saw some forum threads on this topic (I don’t have any links to hand i’m afraid)

Thanks, I’ll look for that flag.   I just created a variable that takes different values and would likely appear unrelated to any kind of IAP.   

I’m probably worrying too much.   

Heck, I’d kill for downloads, pirated or not.  :-)

On iOS the folder where your settings are saved are not visible outside the app.  If you turn that on, then you could get to it from iTunes, but as long as you leave it out of your build.settings, casual viewers won’t be able to mess with it.  You have to have a jailbroken phone on iOS for people to do this.  I’m not that worried about iOS as much as I am Android.  Way more people **root** their Android devices increasing the probability that they could go poking around. 

There are techniques that you can use, like come up with a pass phrase and run it through an MD5 hash routine that will spit out a long hex number.  If you’re on a Mac this is easy to do, if not there should be a website that will generate the MD5 hash for you.  Create a phrase, in my instance I’m going to use the phrase “fred&barney”.  From the terminal on your Mac do:

echo “fred&barney” | md5

It will output:

35f12d715b663fab1e30ddfd7b29d00d

You can then store that in your json file and give it an obscure key, i.e.  if you have a table called settings that holds your settings do:

settings.plugh = “35f12d715b663fab1e30ddfd7b29d00d”

Then in your app, check to see if settings.plugh matches “35f12d715b663fab1e30ddfd7b29d00d” and you’ve made it not so obvious that this is your free vs. paid key.  If they try and hack the value, it most likely won’t match.   You can add in a bunch of other random keys and MD5 strings to obscure things even more.

But this is only going to stop the casual person.  A good hacker will look at the file, pay for it, see the difference and then publish the difference for their friends to use.  So this is by no means fool proof.  The recommended way is to store the receipt you get back from IAP on a remote server and then check your saved version of the receipt with the server hosted version and if they match, then unlock things.  But this of course only works if you have connectivity. 

Rob

My settings file has a lot of keys.  I simply added another with a seemingly normal name and if it’s set to one of a disparate set of values, it’s unlocked, otherwise locked.    i.e., it’s not a boolean.   

You’re right about Android, but the way I look at it is if someone was never going to pay for it, I’d rather him steal it and at least do some free marketing for me than never run it at all.   Not that I want to make it easy to steal, but I don’t want to build an overly complex security mechanism that may end up biting paying customers.

BTW, I also added UIFileSystem = false in my iPhone->plist key in build.settings.   

I simply leave my JSON table the way it is, and modified the load/save table function to encrypt/decrypt it with just a few added lines.  I’ve posted the routine here.

I have a library I use to store IAP state on disk that pseudo encrypts it.  It can be used with any persistent data.

Editing a .json file is easy as you can use third party tools that will open the device and allow you to modify any file without jailing breaking.  Disabling iTunes file browsing does not change this, it’s still easy to do.

Here is my Table Scrambler Library:

https://gum.co/OEyo

I simply leave my JSON table the way it is, and modified the load/save table function to encrypt/decrypt it with just a few added lines.  I’ve posted the routine here.

I have a library I use to store IAP state on disk that pseudo encrypts it.  It can be used with any persistent data.

Editing a .json file is easy as you can use third party tools that will open the device and allow you to modify any file without jailing breaking.  Disabling iTunes file browsing does not change this, it’s still easy to do.

Here is my Table Scrambler Library:

https://gum.co/OEyo