Transaction verification

Question

Created Dec ’15

Replies 9

Boosts 0

Views 2.3k

Participants 4

So a few years back a guy found a way to hack inapp purchases. Apple released a class called "VerificationController"

that basically all you had to do was pass the transaction and it would validate it and then return yes or no if it was good.

At the time I had a server side verification already implemented, where the transaction would get sent to my server, get verified between the server and apple then return an encrypted block to unlock the feature from the purchase so I didn't need it.

But I want to have IAP in my new app and I don't want to have to go through all the work of updating my system to work now that things like UDIDs are no longer available to us.

Do still need to either validate on my server or use the VerificationController class or has the issue with IAP be resolved so I can just trust pruchases?

Boost

Answer 1

PBK OP

Dec ’15

I believe the issue has not been 'solved' as far as preventing hacks but it has been 'solved' in that there is a verification procedure that allows you to do one of the following:

1) decode a receipt delivered with the purchase using OpenSSL - it's a bit hard but can be done, and it's very secure since each receipt is encoded based on the device's unique identifierForVendor

2) grab the receipt and send it to your server - this requires secure transmission to avoid a man-in-the-middle attack and requires that your server watch out for duplicate receipts because it does not have a device-specific field

3) grab the receipt and send it from the device to Apple servers and get back a response on the device - this is easy but may be subject to a fairly sophisticated hack in which the transmission to Apple is diverted.

0

Answer 2

PBK OP

Dec ’15

And here is the link to Apple document:

https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html

0

Answer 3

FNSApril OP

Dec ’15

So yeah it looks like I'll need to use the verification class, if it still works. Doing it server side isn't the worst headache but since UDID's are no longer available I'd have to rewrite a lot of code.

0

Answer 4

PBK OP

Dec ’15

You can't use VerificationController or VerificationControllerPBKSimple because they rely on transaction.transactionReceipt and that is deprecated. You will need to write your own code to decode the receipt on the device.

0

Answer 5

FNSApril OP

Dec ’15

I suppose I have one more question.

The purchases are weapons, and the weapon data and models are not included in the app. I have hosted them with apple. So with that in mind, if someone does manage to hack the system and fake a verified receipt, will the content still download?

0

Answer 6

PBK OP

Dec ’15

I do not know if a hacker can capture and copy the transaction.downloads object from one valid purchase on one device and resubmit it to other devices thereby emulating a valid purchase. But it would not surprise me if they could. At the very least I would send the receipt from the device to the Apple servers and verify that it is valid and that the receipt's request_date comes after the purchase_date.

0

Answer 7

KMT OP

Dec ’15

>will the content still download?

They probably wouldn't bother faking a receipt if it didn't, so...

Seen this?

w w w . gamasutra.com/blogs/AndreiMihu/20150709/248126/Defend_your_games_against_InApp_Purchase_attacks.php

0

Answer 8

Max_B OP

Jul ’16

This is not what OP asked for, but one might find useful this code I posted to check the UID hash of an appreceipt server side:

0

Answer 9

PBK OP

Jul ’16

NOTE: the previous post does not appear correctly in the forum under IAP!!!! Perhaps because it has a link in it.

Thanks for posting a method to check the UUID hash of an appreceipt server side. It fills in a security flaw in Apple's system. A necessary operation for anyone thinking they are actually validating receipts using a remote server. Especially because the transaction_id is not unique when a user repurchases an item.

0