★ TouchArcade needs your help. Click here to support us on Patreon.

Jailbroken IAPs

07-25-2016, 02:01 AM
#1
Jailbroken IAPs

I have been tracking IAP events in real-time with fabric.io in my most recent projects, and it has come to my attention that there has been a lot of purchases shown up through fabric that don't show up in iTunesConnect recently. These are for consumable IAP, so they are not a 'restore purchases' log that would show up for that reason.

I was wondering if this is a jailbroken thing, or if that is even possible. Just thought I would ask, and if that is something anyone else has ever come across and if it is frequent.

Thanks
07-25-2016, 02:11 AM
#2
Joined: Jul 2013
Location: Europe, CET
Posts: 2,441
As always, ask auntie Google Why is everyone too lazy to do their own research first these days?
Searching for "jailbroken iap" gives a lot of interesting results, autocomplete and alternative suggestions.
So, even without reading the results, I conclude that it's possible to fake-purchase IAPs on a jailbroken device.

07-25-2016, 02:17 AM
#3
Nullzone - I assure you I did my Google searches first, but I was a bit surprised by my findings and was wondering if any other developers have ran into this problem. Also, if there are any suggestions on how to stop this from happening in the future that would be greatly appreciated.

Thanks.

Last edited by Inner Hero; 07-25-2016 at 02:25 AM.
07-25-2016, 02:38 AM
#4
Joined: Jul 2013
Location: Europe, CET
Posts: 2,441
No worries, was more of a general rant because a lot of people throw questions on here and don't mention any research they did on their own
Specifically, I'd have worded the "is that a jailbreak thing / even possible?" part differently; it clearly reads as if you don't know that "yes, it is". Pointing to examples you found during your research, and briefly outlining your current level of knowledge on the subject also helps folks to give you more specific answers.

As for solutions:
I'm not a dev, not even a programmer, so I can't help on the technical side.
As usual, it's an arms race between developers and crackers, and the devs almost never win.
If you want to stop this, I'm pretty sure you have to dig rather deep into the IAP purchase mechanism AND into the currently available cracks.
If it's a fundamental issue - cause of holes in Apple's implementation - you are outta luck anyways.
Even as a non-programmer I can think of various ways to fake a purchase, but not any feasible mechanism to block - or even identify - them.

Last edited by Nullzone; 07-25-2016 at 02:44 AM.
07-25-2016, 12:29 PM
#5
Joined: Feb 1983
Location: Barcelona
Posts: 1,268,691
Quote:
Originally Posted by Nullzone View Post
I'm not a dev, not even a programmer, so I can't help on the technical side.
Why are you responding to this thread then?
07-25-2016, 02:08 PM
#6
Joined: Jul 2013
Location: Europe, CET
Posts: 2,441
Quote:
Originally Posted by Eli View Post
Why are you responding to this thread then?
Heck, why not? Or did I miss the sign at the entrance saying "only developers after this point, trespassers will be trolled on sight?"
Jokes aside, I found the topic interesting, and the question non-specific/non-technical enough to answer without reading up for hours first. Plus, it's new stuff to feed to the bottomless pit of my brain
Not that I have to justify myself, mind you.

Update: thanks, Eli just started researching, there goes my evening...

@Inner Hero: how far did you get with your research? Are you looking into specific solutions already, or still at the "general research" stage?

Last edited by Nullzone; 07-25-2016 at 02:27 PM.
07-25-2016, 03:53 PM
#7
Nullzone - I kind of gave up (for now). I do receipt validation with the AppStore, so I am not sure how these bigger studios like Supercell are doing additional work with Clash of Clans etc. since it seems these are rather hack proof in terms of IAP.

It is just the people that expect everything for free. They will always find a way like you said. Even when they get a chance to support some work they have been enjoying, some people need to go a step further and disrespect by hacking the system for more free stuff. Never mind the starving, debbted developers making less than minimum wage off these projects, I guess that is just our problem
07-25-2016, 05:09 PM
#8
Joined: Feb 1983
Location: Barcelona
Posts: 1,268,691
Quote:
Originally Posted by Nullzone View Post
Heck, why not? Or did I miss the sign at the entrance saying "only developers after this point, trespassers will be trolled on sight?"
Jokes aside, I found the topic interesting, and the question non-specific/non-technical enough to answer without reading up for hours first. Plus, it's new stuff to feed to the bottomless pit of my brain
Not that I have to justify myself, mind you.

Update: thanks, Eli just started researching, there goes my evening...

@Inner Hero: how far did you get with your research? Are you looking into specific solutions already, or still at the "general research" stage?
Just seems kind of shitty to come into a thread and tell someone to use Google when you have no idea/expertise yourself.
07-25-2016, 05:20 PM
#9
Joined: Jul 2013
Location: Europe, CET
Posts: 2,441
I didn't find any technical details (which doesn't surprise me; I'd keep those under lock and key, NDAs, and whathaveyou, too) on e.g. Supercell's or King's measures. Only general stuff like "constant contact with their own servers to verify purchases and app integrity, detect jailbreaks, etc." And they have the money and manpower to build their own serious infrastructure for that (I'd think on the complexity level - or at least pretty close - of e.g. PCI-compliant payment solutions).
Even running one server to verify purchases is a lot of work for a single dev, I tip my hat to you if you are indeed doing that.

I assume you have a bunch of jailbreak detectors in already? If not, add them. Most likely I am only stating the obvious and what you already know. But just in case: From what I found, none look difficult to implement. And there are complete APIs/modules out there to do it for you. I need to dig a bit deeper to find any good links, though (I like to verify any stuff I throw out is solid information).

And in all honesty, if you are trying to make a living as a single dev these days, you are gambling on your future. And the house always wins.

Last edited by Nullzone; 07-25-2016 at 05:34 PM.
07-25-2016, 05:32 PM
#10
Joined: Jul 2013
Location: Europe, CET
Posts: 2,441
Quote:
Originally Posted by Eli View Post
Just seems kind of shitty to come into a thread and tell someone to use Google when you have no idea/expertise yourself.
Go read my second post, I made a misassumption due to lack of information. I guess you have the expertise, why don't you throw us a bone?