iPhone IAP - suspicious receipt is accepted by Apple validation server

StackOverflow https://stackoverflow.com/questions/15551019

Question

We have an iPhone app that offers in-app-purchase (IAP) products. We perform IAP validation through our server that contacts Apple IAP receipt validation server.

We get many transactions using the exact the same receipt. We suspect it is the receipt used by the Russian hacker that managed to bypass Apple IAP validation server on July 2012. Apple validation server approves the receipt, so we currently perform our own check and deny the purchase if the receipt is equal to this receipt.

Has anyone else experienced the same problem? is our assumption true? is there any other way to protect against transactions using this receipt and maybe similar other receipts?

The suspicious receipt starts with the following characters (total 3045 characters): ewoJInNpZ25hdHVyZSIgPSAiQXBkeEpkdE53UFUyckE1L2NuM2tJTzFPVGsyNWZlREthMGFhZ3l5UnZlV2xjRmxnbHY2UkY2em5raUJTM3VtOVVjN3BWb2IrUHFaUjJUOHd5VnJITnBsb2YzRFgzSXFET2xXcSs5MGE3WWwrcXJSN0E3ald3dml3NzA4UFMrNjdQeUhSbmhPL0c3YlZxZ1JwRXI2RXVGeWJpVTFGWEFpWEpjNmxzMVlBc3NReEFBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21s

Was it helpful?

Solution

It's possible that a person is unlocking the in app purchase for his or her friends, or that there is a hacker, or anything. But if you've blocked the receipt, you should be fine unless another receipt pops up with the same problem. I'm currently having a similar problem with receipt verification. For some reason, receipts from Cut the Rope are being verified against my server, but as my server doesn't recognize the product identifier, it doesn't unlock anything.

There really is no way to prevent this from happening as the receipt the hacker used was valid. You can only monitor your database and block problematic receipts as they arise. The only way to automatically prevent this is to block a certain receipt if it is being used many times within a short period of time.

enter image description here

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top