Found a serious exploit about subscription used in games, how can this be avoided?

Question

I am a producer of mobile games, and recently trying to implement subscription. I tried to play a few competitor games that have subscription and noticed a big flaw. Basically, you can use one Apple ID, purchase a subscription once, and then you can share this Apple ID and let everyone else activate the subscription in their games! Is there any way I can prevent this from happening?Scenario:1) Assume you have an Apple ID abc@email.com, login this account on device 1.2) Run a game with subscription (I tried Invasion: Modern Empire, for example). Purchase this 30-days subscription.3) Now, on device 2, login abc@email.com again.4) Run the game on device 2, it'll be a new game anyway. But when you tried to purchase subscription here, Apple detects subscription is active and won't let you, but when you restart the game, the app checks the subscription ID and since it's valid, it'll give the subscription to this device. And this is wrong, because the game run here is a different game account than that on device 1.Problem here is:Assume I am a guild leader of a game. I can pay for subscription with my Apple ID first. Then I can help all my guild members to activate their subscription by sharing my Apple ID. Every time another person logins my Apple ID and run their game, the game got the same subscription ID and will allow this to happen.How can we avoid this??

eqHaisenko · Answer

You can&#x27;t avoid it and it&#x27;s not "wrong". The scenario you describe is the same as if you own several devices and are logged in with the same account on them. You paid for it, so you should be able to use it on your devices. It&#x27;s actually vital that it works this way: imagine your old iPhone broke and you bought a new one. You expect your game that you paid for to work on the new device, don&#x27;t you?

PBK · Answer

I believe, but please correct me if I am wrong, that the app itself needs to have been downloaded into the device by the same Apple Id that is used to purchase the subscription.  Also, that original &#x27;app download&#x27;, the first subscription and each renewal requires logging out of the actual user&#x27;s Apple Id and logging into the &#x27;Guild Leader&#x27;s&#x27; Apple Id each time.  So it is a bit of a hassle to execute the scam you are suggesting.  A bit of a hassle but not that complicated.  You can opt out of auto-renewables and use a non-renewing subscription.  Then keep track of how many &#x27;copies&#x27; the user makes of a subscription and if that number exceeds 5 ask the user to contact you directly for additional copies.  In this scam the Guild Leader is at risk that one of the members will use the Guild Leader&#x27;s Apple Id to make additional cash purchases.

PBK · Answer

I have not tried this but it is possible that you could......Create a CloudKit database that recorded a record for each original_transactionID in the public database area.  (CloudKit is tied to the user&#x27;s iCloud Account which also controls other things including Find My iPhone. - Changing it is an inconvenience.) When a device restored or purchased a subscription it would check to see if a record already existed for that original_transactionID.  If it did not, it would create a record, write its device&#x27;s identifierForVendor and make a reference in that record to its private CloudKit database, a reference that varies based on the users currently entered username/password for iCloud.  If a record already existed for that original_transactionID then it would check to be sure that its CloudKit private database information was correct or it would request that the user log into &#x27;their&#x27; iCloud Account.  That means the user would have to go through the bother, each time they wanted to use the subscription, of redoing their &#x27;Find My iPhone&#x27; and other stuff that is referenced by their iCloud Account in order to align their iCloud Account with the "Guild Leader&#x27;s".  Also, you could detect when a single subscription was used by more than 5 devices and tell the user to &#x27;Contact Us&#x27; to get additional copies.I don&#x27;t know if you can get an indelible reference to the user&#x27;s (aka the Guild Leader&#x27;s) iTunes/ App Store account and require that it be aligned with the one used to purchase the subscription each time the user wanted to use the subscription.