Geek Answers Handbook

IAP cracks that seem to have valid receipts

We have a successful app in the iOS app store with in-app purchases. Every time a purchase is completed, we send a receipt to our server, our server, than we check the receipt with the Apple servers and register the response of the apple (including whether the purchase was valid and what they come from our application in the same time and date).

We have quite a few users who use iap-cracks, which send us receipts that Apple says are unacceptable. However, we have now begun to see scammers who have receipts that are responsible for the apple, which are VALID. What is strange about these cheats is that when such a fraudster purchases in our application, he usually buys all purchases with exactly the same receipt.

Have you heard of this way of "checking" Apple's acceptance confirmation? (to generate receipts that Apple will say that they are from our application at the time of the “purchase”)

Is there anything we can do to find these scammers on their first purchase (for future purchases, we can simply check the number of next receipts or make sure our receipts are unique)

Thanks!

+6
source share
2 answers

Is there anything we can do to find these scammers in our first purchase

Actually, if this is the same hack that I saw recently as a proof of concept, the first purchase is legal. An “innovation” is to decrypt this legal receipt and redefine its IAP identifier with another, while the general receipt remains valid. So just avoiding duplicates is enough. I didn’t think that he was somewhere close to the finished product, although perhaps this could be something else.

+1
source

We also faced a similar problem when developing a game in the iOS app store, where the business model was based only on the App Purchase app.

Initially, we used to check with Apple Servers for receipts directly from the device. But some hackers have created a hack for users, where they can install the DNS server certificate on their device, which replaces the response from Apple.

The way to do this is to allow the web server to check Apple's receipts directly using some kind of hashing or md5 check to see if Apple answers.

here is a link that contains detailed information about this https://www.objc.io/issues/17-security/receipt-validation/

Hope this helps.

0
source

More articles:


All Articles