I have been tracking IAP events in real-time with fabric.io in my most recent projects, and it has come to my attention that there has been a lot of purchases shown up through fabric that don't show up in iTunesConnect recently. These are for consumable IAP, so they are not a 'restore purchases' log that would show up for that reason. I was wondering if this is a jailbroken thing, or if that is even possible. Just thought I would ask, and if that is something anyone else has ever come across and if it is frequent. Thanks
As always, ask auntie Google Why is everyone too lazy to do their own research first these days? Searching for "jailbroken iap" gives a lot of interesting results, autocomplete and alternative suggestions. So, even without reading the results, I conclude that it's possible to fake-purchase IAPs on a jailbroken device.
Nullzone - I assure you I did my Google searches first, but I was a bit surprised by my findings and was wondering if any other developers have ran into this problem. Also, if there are any suggestions on how to stop this from happening in the future that would be greatly appreciated. Thanks.
No worries, was more of a general rant because a lot of people throw questions on here and don't mention any research they did on their own Specifically, I'd have worded the "is that a jailbreak thing / even possible?" part differently; it clearly reads as if you don't know that "yes, it is". Pointing to examples you found during your research, and briefly outlining your current level of knowledge on the subject also helps folks to give you more specific answers. As for solutions: I'm not a dev, not even a programmer, so I can't help on the technical side. As usual, it's an arms race between developers and crackers, and the devs almost never win. If you want to stop this, I'm pretty sure you have to dig rather deep into the IAP purchase mechanism AND into the currently available cracks. If it's a fundamental issue - cause of holes in Apple's implementation - you are outta luck anyways. Even as a non-programmer I can think of various ways to fake a purchase, but not any feasible mechanism to block - or even identify - them.
Heck, why not? Or did I miss the sign at the entrance saying "only developers after this point, trespassers will be trolled on sight?" Jokes aside, I found the topic interesting, and the question non-specific/non-technical enough to answer without reading up for hours first. Plus, it's new stuff to feed to the bottomless pit of my brain Not that I have to justify myself, mind you. Update: thanks, Eli just started researching, there goes my evening... @Inner Hero: how far did you get with your research? Are you looking into specific solutions already, or still at the "general research" stage?
Nullzone - I kind of gave up (for now). I do receipt validation with the AppStore, so I am not sure how these bigger studios like Supercell are doing additional work with Clash of Clans etc. since it seems these are rather hack proof in terms of IAP. It is just the people that expect everything for free. They will always find a way like you said. Even when they get a chance to support some work they have been enjoying, some people need to go a step further and disrespect by hacking the system for more free stuff. Never mind the starving, debbted developers making less than minimum wage off these projects, I guess that is just our problem
Just seems kind of shitty to come into a thread and tell someone to use Google when you have no idea/expertise yourself.
I didn't find any technical details (which doesn't surprise me; I'd keep those under lock and key, NDAs, and whathaveyou, too) on e.g. Supercell's or King's measures. Only general stuff like "constant contact with their own servers to verify purchases and app integrity, detect jailbreaks, etc." And they have the money and manpower to build their own serious infrastructure for that (I'd think on the complexity level - or at least pretty close - of e.g. PCI-compliant payment solutions). Even running one server to verify purchases is a lot of work for a single dev, I tip my hat to you if you are indeed doing that. I assume you have a bunch of jailbreak detectors in already? If not, add them. Most likely I am only stating the obvious and what you already know. But just in case: From what I found, none look difficult to implement. And there are complete APIs/modules out there to do it for you. I need to dig a bit deeper to find any good links, though (I like to verify any stuff I throw out is solid information). And in all honesty, if you are trying to make a living as a single dev these days, you are gambling on your future. And the house always wins.
Go read my second post, I made a misassumption due to lack of information. I guess you have the expertise, why don't you throw us a bone?
Nullzone - definitely don't have some single server validating purchases especially with PCI-compliancy. I guess I will figure out some other solution. Thanks for bringing that up. As for your comment on 'the house always wins', I guess you may be right. I used to build enterprise apps for a business, and last year made the jump to work for myself. This dream is slowly hanging on its last thread, and it seems the odds are not in everyone's favor.
Oh sorry, seems I didn't phrase that clear enough. I used PCI-compliancy as an example for complexity, as it's something I am familiar with. Didn't mean it literally. But hhmm ... as a sidenote: Now that I think about it, with the amount of payments someone like Supercell processes, I am curious if they fall under PCI and similar regulations. If anyone knows, please share. So I take it that you use local receipt validation, and not "a trusted server to communicate with the Appstore" as described here https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html ? Unfortunately things are not looking good for small devs these days. And yes, I too wish that were different. My personal opinion: Making games will turn into a hobby for some people, not intended to make money / a living. And why not? There are many hobbies out there that are a lot more expensive than creating games. Why not go that route if that works for you, as in "if your time allows"?
Nullzone - I guess these is still some better validation I can do based on your findings. Thanks. And yes, this whole thing started as a hobby for me. I took it more serious last year trying to start a business. This might slowly become a hobby again. It is just hard working full-time and then finding the motivation to work more after a day job. For this reason I wanted to be free to work on my own projects full-time. But it looks like dreams are dreams.
