LocallAPStore IAP cracker - how to protect?

Question

LocallAPStore IAP cracker - how to protect?

We have a verification server installed that receives purchase receipts from our iOS application via SSL. The receipts are then successfully verified on the iTunes Connect server, and everything works fine. However, if we jailbreak an iOS device and install LocalIAPStore via Cydia, the device can buy anything without charging a user. Receipts are still sent to our server and successfully verified, but the user on the device is never charged and no real transaction ever occurs. How could it be that the Apple servers have successfully confirmed receipt?!?

Has anyone come across this script using LocalIAPStore?

+4

ios in-app-purchase

Gur dotan Sep 16 '14 at 16:40

source share

2 answers

Peter B. Kramer · Answer 1 · 2014-09-30T04:52:07+0000

You wrote: "Receipts are still sent to our server and successfully confirmed." I suspect you are being handed the same old receipt over and over again. Your server can register the transaction at the checkout and refuse to check for any duplicate transaction_id.

Stigping · Answer 2 · 2014-09-30T06:27:55+0000

Here is what you can try, even that won’t stop them from using it.

if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Library/MobileSubstrate/DynamicLibraries/LocalIAPStore.dylib"]) {
    NSLog(@"Local IAP Store detected");
}

This is not very effective, but it may prevent someone from doing this. You might want to make your own server (one-way application) for the application to make it impossible to use LocalIAPStore, etc.

LocallAPStore IAP cracker - how to protect?

More articles: