iAP cracker cracks easy dlc/inapp purchases.as long as the game/app doesnt check the purchase with a server. it uses mobilesubstrate for this: buy something inapp like normal and youll get it free!
How are you supposed to validate the purchase with your own server?
I think it means that it only works if your app doesn't retrieve the receipt from Apple server and doesn't verify its validity before accepting the purchase.
You make purchase
Your app sends impulse to apple about purchase
Apple sends impulse back about payment
Your app sends impulse to your server about payment
Your server validates payment
Your server sends impulse to your app about validity
Your app gives content free
In standard case:
Apple sends impulse back about payment
Your app gives content free
Crack:
Apple never receives impulse about purchase
Your app gives content free
__________________
Last edited by Promo Dispenser; 11-03-2011 at 02:23 AM.
You make purchase
Your app sends impulse to apple about purchase
Apple sends impulse back about payment
Your app sends impulse to your server about payment
Your server validates payment
Your server sends impulse to your app about validity
Your app gives content free
In standard case:
Apple sends impulse back about payment
Your app gives content free
Crack:
Apple never receives impulse about purchase
Your app gives content free
I'm not sure that's correct, the crack would work the same way even if you have your server, once the message back form store is compromised then you can write whatever you wrote on your server that you will still get cracked.
The correct procedure would be to cross-check the receipt of the payment (that cannot be generated easily) and relying on another test against the receipt on your server. (Or it must also crack another place in the code where you check the receipt is correct and not compromised.)
This way the cracker must also crack your server or you obfuscated code check, a general crack won't work.
So the key is to check the receipt on your own server with some custom REST possibly encrypted, not just to have your own server.
You make In App Purchase
Your app sends impulse to Apple about purchase
Apple sends receipt back (this part must be faked by the crack in order to make it work)
At this stage your app has to contact Apple to verify the receipt.
Edit
ok, I think I understand what you mean by introducing server side validation. You're assuming that Apple receipt validation is compromised by the crack as well, so you're sending the receipt to your server and that server validates it for you?
ok, I think I understand what you mean by introducing server side validation. You're assuming that Apple receipt validation is compromised by the crack as well, so you're sending the receipt to your server and that server validates it for you?
Basically you need some custom data in there to verify on your server that the transaction is legit. This way you can make sure that the cracker must also crack your server code or every single IAP, not just returning 0 from a fake apple store query (that's how apple validates your receipt, if it returns 0 it's ok).
Basically you need some custom data in there to verify on your server that the transaction is legit. This way you can make sure that the cracker must also crack your server code or every single IAP, not just returning 0 from a fake apple store query (that's how apple validates your receipt, if it returns 0 it's ok).
Would this work: try to use their system to crack an app of yours. Then see what the reciept is or how it got by the system. Kinda like an undercover thing.
If all this cracking is killing the profits, maybe some of us should start cracking apps just to see how it's down and how to counter it.
Is the IAP checked once or is it checked each time the app runs? If it confirms each time the app is run, then maybe contact Apple and have them change something on their side to fix this.
If it's checked once, maybe have it expire after X days...
On a side thought, one thing that might throw these guys for a loop would be to have an app that randomly chooses a method of validation. Then after X days, have it recheck using the same random choice process.
IAP cracked
Linear Mode
