- Home /
Android IAP possible users hacking purchases somehow?
Greetings,
We recently setup a MySQL database to have our game log stuff, such as when the user makes a purchase: user id, purchased item name, and price along with a timestamp.
We tested it with our test google accounts and it seemed to work fine, every purchase yields a single log entry on the database.
We released a new update yesterday the logs are very suspicious... Same player id, makes almost 10 purchases within a 10 seconds timeframe.
We're using Stans Assets: AndroidNative and IOSNative plugins to handle IAP
Any idea what's going on? how could that possibly happen? Is there any way Android users could hack a purchase so they could make multiple ones with the same price or something?
Can you think of something useful we could log to narrow down the issue?
Any thoughts on how to approach this is appreciated. Thanks.
Have you tested to see if the log is created for failed purchase attempts? What I mean is, the player goes through the motion of making the purchase, but doesn't have enough funds to cover it.
@$$anonymous$$agius96 We only log when the purchase is made successfully (not restored nor failed)
Answer by Bunny83 · Mar 04, 2016 at 03:32 AM
Well, i once worked in a company and ive implemented the payment system for Android and iOS for our Unity games (only client side). We had a dedicated payment server where we actually verified the purchases. As far as i remember for iOS, Apple does provide an API so the payment server can simply forward the receipt and signature we get from the user device to Apple to have it verified.
For Android we could do the verification outselfs on the payment server. When you create a google developer account you should have a public / private key pair. The receipt the user device receives is signed with your private key by google. So all you need to do on the payment server is using an RSA module (OpenSSL has one that can be used in php as far as i remember) to check the signature.
We had a lot of trouble on our payment server because the backend API was horrible set up and parts of the base64 encoded signature got messed up (mostly the equal signs).
I don't have this project at hand so this information is purely based on what i could remember. That project was about two years ago. Maybe something has changed in the way google handles IAP. Can't remember exactly which IAP plugin we used, but we tried several. I think in the end we used Prime31 as it had support for both, iOS and Android.
The payment servers actually created a payment ID which was passed to the user device. This ID was passed as custom data to Google / Apple so it was included in the receipt so we could easily match a payment with the user.
So as long as you do the verification on your server and the "stuff" the user buys is actually unlocked on your server and not just on the device, you should be pretty safe.
Thanks for the answer Bunny. Could you elaborate more on the server part? I'm no expert. So do you have some sort of PHP scripts running that communicates with Google/Apple servers to verify the purchase/check the signature?
Yes, at least for iOS. Google didn't have such an API however the signature check can be done inside the php script. As I said I haven't actually seen the server code. The company's main field was browser games and the payment servers are used for all games they had.
I actually get all the product information from the payment server. I also initiated a purchase on our payment server which generated a custom transaction I'd which I passed to the IAP interface. So the whole purchase was tracked by our server.
I've heard about people checking the signature on the user device, however that requires you to store you public key on the device. Of course the public key is ment to be shared, but it's just safer to not publish it if possible.
I'm currently on mobile so I can't write too much ^^