Hi All,
We see in our quite successfull app a few users which are making in-app purchases(consumables) that seem to be fake. For some of them, their first purchase seems valid(??). I will explain:
From each of these users, their first purchase seems legit (we send the receipt to apple's servers and get valid fields, our app id, time etc). These users make many more purchases but from the second purchase onwards they are using the exact same receipt over and over
Any ideas?
Thanks
Sure, it could be an error in your coding or a hack. Most likely a hack. It is a straightforward hack to shoot a call into an app's updatedTransactions with a purchased state and hope that the code accepts the call as legit. I suspect your app just grabs the 'updated' receipt and sends it on for verification. I would assume your verification method rejects the pruchase - that's what 'verification' means.
I still don't get it. Why would a user make a real purchase and then in the next purchase which can be a few minutes later make a fake purchase?
Can he somehow fake the first purchase (give us a receipt that Apple's servers will see as valid??)
Thanks!
>Why would a user make a real purchase and then in the next purchase which can be a few minutes later make a fake purchase?
Because it is a consumable and he wants to accumulate many of those consumables. But to do that he needs at least one valid receipt.
>Can he somehow fake the first purchase (give us a receipt that Apple's servers will see as valid??)
If the receipt is a valid receipt and is 'current' in time then it was a real purchase or a restore (or a repurchase for free). If it has a unique transaction_id then it is a new purchase. (If you decode the receipt yourself you can check to be sure the receipt is intended for that device - but you can't get that info if you use the Apple servers.)
If your in app purchases just unlock some functionality that is present in your app, a jailbroken app can be hacked to use that functionality. Making a real first purchase gets that ball rolling.
If, however, you send the receipt to your server, and your server checks the receipt with Apple, and the purchase then enables functionality on the server, then it can't be hacked without hacking your server.
Aaron,
Please indicate whether your process is validating the applicationReceipt or the deprecated transactionReceipt. My first thought is that your process is validating the deprecated transactionReceipt. The transactionReceipt has been deprecated since iOS 6 for the issue you describe. The applicationReceipt is signed by Apple and to my knowledge cannot be forged without the Apple signing certificate. When the updatedTransactions delegate method is called with a state - SKPaymentTransactionStatePurchased, the application can validate the receipt and check the contents of the in_app array.
If in fact, you are validating the applicationReceipt, are you calling finishTransaction? Is there always the one item in the in_app array with the same transaction identifier and time stamp?
rich kubota - rkubota@apple.com
developer technical support CoreOS/Hardware/MFI
