Jailbroken IAPs

Discussion in 'Public Game Developers Forum' started by Inner Hero, Jul 25, 2016.

  1. Inner Hero

    Inner Hero Well-Known Member

    Aug 24, 2015
    207
    19
    18
    I have been tracking IAP events in real-time with fabric.io in my most recent projects, and it has come to my attention that there has been a lot of purchases shown up through fabric that don't show up in iTunesConnect recently. These are for consumable IAP, so they are not a 'restore purchases' log that would show up for that reason.

    I was wondering if this is a jailbroken thing, or if that is even possible. Just thought I would ask, and if that is something anyone else has ever come across and if it is frequent.

    Thanks
     
  2. Nullzone

    Nullzone 👮 Spam Police 🚓

    Jul 12, 2013
    3,605
    41
    48
    Male
    As always, ask auntie Google ;) Why is everyone too lazy to do their own research first these days?
    Searching for "jailbroken iap" gives a lot of interesting results, autocomplete and alternative suggestions.
    So, even without reading the results, I conclude that it's possible to fake-purchase IAPs on a jailbroken device.
     
  3. Inner Hero

    Inner Hero Well-Known Member

    Aug 24, 2015
    207
    19
    18
    #3 Inner Hero, Jul 25, 2016
    Last edited: Jul 25, 2016
    Nullzone - I assure you I did my Google searches first, but I was a bit surprised by my findings and was wondering if any other developers have ran into this problem. Also, if there are any suggestions on how to stop this from happening in the future that would be greatly appreciated.

    Thanks.
     
  4. Nullzone

    Nullzone 👮 Spam Police 🚓

    Jul 12, 2013
    3,605
    41
    48
    Male
    #4 Nullzone, Jul 25, 2016
    Last edited: Jul 25, 2016
    No worries, was more of a general rant because a lot of people throw questions on here and don't mention any research they did on their own :p
    Specifically, I'd have worded the "is that a jailbreak thing / even possible?" part differently; it clearly reads as if you don't know that "yes, it is". Pointing to examples you found during your research, and briefly outlining your current level of knowledge on the subject also helps folks to give you more specific answers.

    As for solutions:
    I'm not a dev, not even a programmer, so I can't help on the technical side.
    As usual, it's an arms race between developers and crackers, and the devs almost never win.
    If you want to stop this, I'm pretty sure you have to dig rather deep into the IAP purchase mechanism AND into the currently available cracks.
    If it's a fundamental issue - cause of holes in Apple's implementation - you are outta luck anyways.
    Even as a non-programmer I can think of various ways to fake a purchase, but not any feasible mechanism to block - or even identify - them.
     
  5. Eli

    Eli ᕕ┌◕ᗜ◕┐ᕗ
    Staff Member

    Why are you responding to this thread then?
     
  6. Nullzone

    Nullzone 👮 Spam Police 🚓

    Jul 12, 2013
    3,605
    41
    48
    Male
    #6 Nullzone, Jul 25, 2016
    Last edited: Jul 25, 2016
    Heck, why not? Or did I miss the sign at the entrance saying "only developers after this point, trespassers will be trolled on sight?" :p
    Jokes aside, I found the topic interesting, and the question non-specific/non-technical enough to answer without reading up for hours first. Plus, it's new stuff to feed to the bottomless pit of my brain ;)
    Not that I have to justify myself, mind you.

    Update: thanks, Eli :p just started researching, there goes my evening...

    @Inner Hero: how far did you get with your research? Are you looking into specific solutions already, or still at the "general research" stage?
     
  7. Inner Hero

    Inner Hero Well-Known Member

    Aug 24, 2015
    207
    19
    18
    Nullzone - I kind of gave up (for now). I do receipt validation with the AppStore, so I am not sure how these bigger studios like Supercell are doing additional work with Clash of Clans etc. since it seems these are rather hack proof in terms of IAP.

    It is just the people that expect everything for free. They will always find a way like you said. Even when they get a chance to support some work they have been enjoying, some people need to go a step further and disrespect by hacking the system for more free stuff. Never mind the starving, debbted developers making less than minimum wage off these projects, I guess that is just our problem :confused:
     
  8. Eli

    Eli ᕕ┌◕ᗜ◕┐ᕗ
    Staff Member

    Just seems kind of shitty to come into a thread and tell someone to use Google when you have no idea/expertise yourself.
     
  9. Nullzone

    Nullzone 👮 Spam Police 🚓

    Jul 12, 2013
    3,605
    41
    48
    Male
    #9 Nullzone, Jul 25, 2016
    Last edited: Jul 25, 2016
    I didn't find any technical details (which doesn't surprise me; I'd keep those under lock and key, NDAs, and whathaveyou, too) on e.g. Supercell's or King's measures. Only general stuff like "constant contact with their own servers to verify purchases and app integrity, detect jailbreaks, etc." And they have the money and manpower to build their own serious infrastructure for that (I'd think on the complexity level - or at least pretty close - of e.g. PCI-compliant payment solutions).
    Even running one server to verify purchases is a lot of work for a single dev, I tip my hat to you if you are indeed doing that.

    I assume you have a bunch of jailbreak detectors in already? If not, add them. Most likely I am only stating the obvious and what you already know. But just in case: From what I found, none look difficult to implement. And there are complete APIs/modules out there to do it for you. I need to dig a bit deeper to find any good links, though (I like to verify any stuff I throw out is solid information).

    And in all honesty, if you are trying to make a living as a single dev these days, you are gambling on your future. And the house always wins.
     
  10. Nullzone

    Nullzone 👮 Spam Police 🚓

    Jul 12, 2013
    3,605
    41
    48
    Male
    Go read my second post, I made a misassumption due to lack of information. I guess you have the expertise, why don't you throw us a bone? ;)
     
  11. Inner Hero

    Inner Hero Well-Known Member

    Aug 24, 2015
    207
    19
    18
    Nullzone - definitely don't have some single server validating purchases especially with PCI-compliancy. I guess I will figure out some other solution. Thanks for bringing that up.

    As for your comment on 'the house always wins', I guess you may be right. I used to build enterprise apps for a business, and last year made the jump to work for myself. This dream is slowly hanging on its last thread, and it seems the odds are not in everyone's favor.
     
  12. Nullzone

    Nullzone 👮 Spam Police 🚓

    Jul 12, 2013
    3,605
    41
    48
    Male
    Oh sorry, seems I didn't phrase that clear enough. I used PCI-compliancy as an example for complexity, as it's something I am familiar with. Didn't mean it literally.
    But hhmm ... as a sidenote: Now that I think about it, with the amount of payments someone like Supercell processes, I am curious if they fall under PCI and similar regulations. If anyone knows, please share.

    So I take it that you use local receipt validation, and not "a trusted server to communicate with the Appstore" as described here https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html ?

    Unfortunately things are not looking good for small devs these days. And yes, I too wish that were different. My personal opinion: Making games will turn into a hobby for some people, not intended to make money / a living. And why not? There are many hobbies out there that are a lot more expensive than creating games.
    Why not go that route if that works for you, as in "if your time allows"?
     
  13. Inner Hero

    Inner Hero Well-Known Member

    Aug 24, 2015
    207
    19
    18
    Nullzone - I guess these is still some better validation I can do based on your findings. Thanks.

    And yes, this whole thing started as a hobby for me. I took it more serious last year trying to start a business. This might slowly become a hobby again. It is just hard working full-time and then finding the motivation to work more after a day job. For this reason I wanted to be free to work on my own projects full-time. But it looks like dreams are dreams.
     

Share This Page