All geek questions in one place

Checking the receipt of an application from a client

I read (almost) all the answers to check the purchase in the application, and in fact I already implement it on the server side. But sometimes managing a server can be too expensive, and in theory, you can do a check in your application: basically it is just sending json to Apple and returning the response. Of course, I know that on hacked devices, receipts can be fake (why do you check them), but (please forgive my ignorance), why can’t I trust the https connection to the Apple server? I mean, if a user hacked my application, there is no real way to make sure of something, but if you hack a general method to ensure checking for fake receipts with Apple, maybe enough?

To be clear, what is the security level of application verification in the application? Could he add some degree of protection to no avail?

+3
source share
2 answers

This answer explains why you should use server-side validation to limit the impact of some “general purpose” crackers, such as the “IAP cracker”; in addition, binding the iTunes json request in your content delivery API is quite convenient and the response is quick.

Of course, if your goal is to provide some content already in the application, but is blocked, you may feel that setting up this server is not very convenient, but I will ask you to do this experiment:

  • create an application with good content, and this content is already locked in the application (therefore, you do not need a content server)
  • add some analytics to track the use of this blocked feature.
  • after a month, compare the number of purchases with the number of new users using the paid function.
  • at this point, it will be clear to you that adding a script server just for validation validation is a good investment; in addition, there are some services that are very cheap (for example, a city airship), we already do this for you, so you do not need to install hardware for this.
+3
source

I crack the inapp cracker and discover a way to block it on the client side: the receipts and transaction IDs it creates have a predictable pattern that is easy to detect. Here I detailed: the client side with fake update receipts

hope this helps

0
source

Source: https://habr.com/ru/post/1402077/

More articles:


All Articles