Protection from hacking "In app purchase" on Android/iOS

Question

Hey. How to protect your application from hacking "in app purchase" on Android/iOS, which are used by programs such as "Freedom"?

Answer 1

Best Answer

Answer by MakeCodeNow · Feb 15, 2014 at 06:18 PM

If someone has rooted their device, your options are pretty limited, and the right solution depends on the kind of hacks you're trying to avoid. However, most solution revolve routing purchases through a server you control. Here are the Apple docs on that. You can actually set something like that up pretty easily w/ Google App Engine.

Add comment · Share

Answer 2

Answer by lilboylost · Aug 07, 2014 at 08:41 AM

1) You can setup a server for receipt verification 2) Once you get a purchase response from server, send another request to Google server to get all Purchase products for the user. This will cross verify the purchase. 3) Don't allow your app to run on rooted devices. 4) Freedom fake transaction id corresponds to Billing format 2. Upgrade to Google billing format 3 and easily validate the transaction id format

Good luck. Let me know which solution worked for you.

Add comment · Show 2 · Share

PanCrucian · Aug 07, 2014 at 08:51 AM 0

Share

server receipt verification - best solution, thx u

lilboylost · Aug 18, 2014 at 04:27 AM 0

Share

As per my understanding, server can only protect you if you are not hosting content on device. If content is already on device, client can fake server response as well. Can you please help me in understanding your solution?

Answer 3

Answer by cgutierrez71 · Aug 11, 2015 at 06:53 PM

Hi lilboylost, could you tell me how to implement the point 3?

"Don't allow your app to run on rooted devices."

I've tested several on the net but don't work.

Thanks a lot.

Add comment · Show 5 · Share

lilboylost · Aug 11, 2015 at 07:00 PM 0

Share

https://www.google.com/search?q=android+dev+check+rooted

I am not using rooted check as I want my app to run on rooted devices. I am doing a server side RSA validation of transaction receipt, which is sufficient. In order to fake server response, hacker need to create a cheat code app specific to your application.

cgutierrez71 · Aug 11, 2015 at 07:03 PM 0

Share

Ok but, do you know how to implement the point 3 in Unity?

Thanks,

lilboylost · Aug 11, 2015 at 07:33 PM 0

Share

You can only do it in Android Native code (java), and need to expose it into Unity via plugin or reflection.

cgutierrez71 · Aug 11, 2015 at 08:02 PM 0

Share

Thanks lilboylost, your answer has been very useful for me.

I'm serching on the assets store and there is a plugin that I think that works for this. Is called "A$$anonymous$$97 Soft Android Root Checker" I'm going to try it.

whaleinthesea · Aug 11, 2015 at 08:55 PM 0

Share

See my answer on http://answers.unity3d.com/questions/1012407/detecting-rootedjail-broken-devices.html for free root and jailbraik detection.

Protection from hacking "In app purchase" on Android/iOS

3 Replies

Your answer

Follow this Question

Related Questions