weird apple receipt structure

Question

Created Jun ’16

Replies 6

Boosts 0

Views 1.3k

Participants 3

Hi I was wondering why we're getting this type of apple receipt:

0\u0013ý\u0006\t*H÷\r\u0001\u0007\u0002 \u0013î0\u0013ê\u0002\u0001\u00011\u000b0\t\u0006\u0005+\u000e\u0003\u0002\u001a\u0005\u00000\u0003\u0006\t*H÷\r\u0001\u0007\u0001 \u0003\u0004\u00031\u00030\n\u0002\u0001\u0014\u0002\u0001\u0001\u0004\u0002\f\u00000\u000b\u0002\u0001\u000e\u0002\u0001\u0001\u0004\u0003\u0002\u0001Z0\u000b\u0002\u0001\u0019\u0002\u0001\u0001\u0004\u0003\u0002\u0001\u00030\f\u0002\u0001\u000f\u0002\u0001\u0001\u0004\u0004\u0002\u0002'\u000f0\r\u0002\u0001\n\u0002\u0001\u0001\u0004\u0005\u0016\u000312+0\r\u0002\u0001\u000b\u0002\u0001\u0001\u0004\u0005\u0002\u0003\u0012¢*0\r\u0002\u0001\r\u0002\u0001\u0001\u0004\u0005\u0002\u0003\u0001`¾0\u000e\u0002\u0001\u0001\u0002\u0001\u0001\u0004\u0006\u0002\u0004\u001fE\u001d»0\u000e\u0002\u0001\t\u0002\u0001\u0001\u0004\u0006\u0002\u0004P2440\u000e\u0002\u0001\u0010\u0002\u0001\u0001\u0004\u0006\u0002\u00040»Ys0\u0014\u0002\u0001\u0000\u0002\u0001\u0001\u0004\f\f\nProduction0\u0014\u0002\u0001\u0003\u0002\u0001\u0001\u0004\f\f\n20160530.00\u0014\u0002\u0001\u0013\u0002\u0001\u0001\u0004\f\f\n20160428.00\u0017\u0002\u0001\u0002\u0002\u0001\u0001\u0004\u000f\f\rcom.spuul.ios0\u0018\u0002\u0001\u0004\u0002\u0001\u0002\u0004\u0010\u000f\u001bÙ\u0000¹Ý\büúÙ}Fµ¥0\u001c\u0002\u0001\u0005\u0002\u0001\u0001\u0004\u0014«[`\u0003^J wç\u0011\u0007Q\u001fjÒJñ0\u001e\u0002\u0001\b\u0002\u0001\u0001\u0004\u0016\u0016\u00142016-06-17T15:11:23Z0\u001e\u0002\u0001\f\u0002\u0001\u0001\u0004\u0016\u0016\u00142016-06-17T15:11:23Z0\u001e\u0002\u0001\u0012\u0002\u0001\u0001\u0004\u0016\u0016\u00142016-05-03T03:54:31Z0:\u0002\u0001\u0007\u0002\u0001\u0001\u00042ª\u0011õ\u001cÇ##ÖÐüÜúRHÕ÷.õ\"(ædW1\u0006FÌäþ¦WmÜ^Ïm¹Àr;7nè«\u001eí*!%\u001feÏt{ÌçnÉ¿yw\u0010²áB\u001fVÜß\u001f&Ít¦CÂ#NWfÿØ\u000f§egKn0\u000bKh°\f\u0003íyî\u001eä @âÚ¿]q¬];\u001a\u001fCOçÚ\u0006Ç\\äÎý\u001dâ\u0001/F+õ]\u0010kw²¿(Téqó\u001ftÛÎ\u001aýøé©¸Y¿«\fËäÊÐ\b\"y8ÈÁ\u001eÙÓe",

We get this type of receipt when a user tries to restore a purchase

Boost

Answer 1

PBK OP

Jun ’16

Is this a receipt that you get when you test the app in the sandbox or is this receipt coming from a user?

If it is from a user, are you certain it is a legitamate transaction or could it be from a hack?

Is it a receipt from transaction.transactionReceipt or is it a receipt from the NSURL [[NSBundle mainBundle] appStoreReceiptURL]?

What happens when you send this receipt to the Apple servers to decode it or when you try to decode it yourself?

0

Answer 2

takd0l OP

Jun ’16

Hi PBK, Thanks for responding.

Is this a receipt that you get when you test the app in the sandbox or is this receipt coming from a user?

This is coming from the live app we published in the iOS App Store

If it is from a user, are you certain it is a legitimate transaction or could it be from a hack?

It is from a user, actually multiple users. I do not know how to tell if the transaction is legitimate or a hack. Is it possible to detect if the user is trying to hack the app? I'm using the MKStoreKit Library to manage our IAP.

Is it a receipt from transaction.transactionReceipt or is it a receipt from the NSURL [[NSBundle mainBundle] appStoreReceiptURL]?

The receipt comes from [[NSBundle mainBundle] appStoreReceiptURL] once the SKRefreshReceiptRequest has finished.

What happens when you send this receipt to the Apple servers to decode it or when you try to decode it yourself?

For security purposes, we encode the apple receipt and send it to our server. Our server will then send it to the Apple servers. The response from the Apple servers is 21002 meaning "The data in the

receipt-data

property was malformed or missing." according to Apple Docs.

0

Answer 3

PBK OP

Jun ’16

It sounds like a hack. Any reason to believe it is not? If you are rejecting the purchase because of the 21002 and if none of those 'multiple users' are complaining then that supports the 'sounds like a hack' explanation.

0

Answer 4

takd0l OP

Jul ’16

Our back end team also suspects that it could be a brute force attack. You also have a point when the "multiple users" don't contact our customer support. Thank you for your response PBK!

On another note, we are also experiencing EMPTY in_app field receipts when our servers decode a receipt after a purchase. Any idea on this?

0

Answer 5

KMT OP

Jul ’16

MIght want to search the internet to see if your app by name has been cracked, is being fed to jailbreak'd users and used as eyeball fodder for website visits...

0

Answer 6

PBK OP

Jul ’16

I'm not sure about "empty" but if the In App field is missing then that means there are no In App Purchases. This happens when a hacker injects a call to updatedTransactions without altering the on board receipt. Your code will think that was a purchase, grab the on board receipt and send it for verification. Since no real purchase was made the In App Field will be 'missing'.

This will also happen if the app does the following 3 things - purchases a consumable IAP, calls finishTransaction, calls receiptRefresh or restoreCompletedTransactions.

0