Announcement

Collapse
No announcement yet.

Receipt data in MicroTransactionBase and cracking In-App purchases

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Receipt data in MicroTransactionBase and cracking In-App purchases

    Hi guys,

    As far as I understand, MicroTransactionBase will not provide the receipt data received by the StoreKit, and this way will prevent me from implementing the server product model. Or am I wrong - is it possible to have the receipt data in unreal script in order to send it for validation to my game server?

    And generally has anyone checked if games developed with UDK are crackable with most popular InApp cracking software (like iAP Cracker and iAPFree for example)?

    In the iAPFree list of supported products I see "Infinity Blade 2" so I guess all games with UDK are vulnerable to that thing if they don't implement the server model...

    Thanks,
    Dimitar

    #2
    Originally posted by dimitar View Post
    Hi guys,

    As far as I understand, MicroTransactionBase will not provide the receipt data received by the StoreKit, and this way will prevent me from implementing the server product model. Or am I wrong - is it possible to have the receipt data in unreal script in order to send it for validation to my game server?

    And generally has anyone checked if games developed with UDK are crackable with most popular InApp cracking software (like iAP Cracker and iAPFree for example)?

    In the iAPFree list of supported products I see "Infinity Blade 2" so I guess all games with UDK are vulnerable to that thing if they don't implement the server model...

    Thanks,
    Dimitar
    I'd be surprised if this thread isn't deleted because its kind of a taboo subject...

    No game,app or software is safe from hacking ! You only have to read the newspapers and see that the Pentagon is hacked on a regular basis and they have the highest and most complex encryption methods known to man, but its still vulnerable to determined individuals........

    Comment


      #3
      In general, it would be nice to know if there are a few traps you should avoid that makes it easier for others to hack. For our own case, we want to release the game for free but restricting most of it until you upgrade it via microtransaction. However, if it's too easy for users to bypass it with hacks, it would be more safe to have a invidual lite and full version. The problem with the last solutions is to transfer the save file, which I believe isn't possible.

      Comment


        #4
        @Lexluthor1 Of course every software could be hacked... if someone is motivated enough to spend his time on that. My goal is to protect against "most popular" cracking software which (obviously) cheats the underlying StoreKit and this way can work with all applications that do not validate the transaction server-side. A quote from iAP Cracker page to support my statement:
        In-Compatible Apps
        All server side apps, the apps having a server side check for in-app purchases are not susceptible to this hack.
        If Epic let the developers implement the server model, crackers will be forced to implement per-game solutions that will only work until the next game update, and hopefully they'll be less motivated to spend their tame on cracking and concentrate their energy on something more positive
        Finally why do you think that talking about security in developers' forum is a taboo?

        Thanks to both of you for the replies

        Comment


          #5
          Originally posted by dimitar View Post
          @Lexluthor1 Of course every software could be hacked... if someone is motivated enough to spend his time on that. My goal is to protect against "most popular" cracking software which (obviously) cheats the underlying StoreKit and this way can work with all applications that do not validate the transaction server-side. A quote from iAP Cracker page to support my statement:

          If Epic let the developers implement the server model, crackers will be forced to implement per-game solutions that will only work until the next game update, and hopefully they'll be less motivated to spend their tame on cracking and concentrate their energy on something more positive
          Finally why do you think that talking about security in developers' forum is a taboo?

          Thanks to both of you for the replies

          Its a touchy subject that I'm sure they would rather discuss through pm...........Just my opinion of course

          In regard to these wasters,(crackers and hackers) I'm sure they'll never give it up, much the same as those scumbags who make viruses.............Some software that's been cracked is only worth a few dollars.....Totally pointless!

          Comment


            #6
            Normally I just store the saved microtransactions as an encrypted string in the configuration file. People with jail broken phones could potentially look at the data, but your average player isnt really going to do that. Otherwise, most of the time the microtransaction stuff is still done server side.

            Comment


              #7
              Hi Solid Snake,

              Originally posted by Solid Snake View Post
              Normally I just store the saved microtransactions as an encrypted string in the configuration file.
              I assume that with "microtransactions" you mean the purchased products (whether in-game currency or whatever). Indeed encrypting that data could protect you against the very lamest cheaters who open with text or hex editor the game save. BTW I didn't know that on iOS we can save in configuration files. I usually use BasicSaveObject/BasicLoadObject that work in bynary format.
              Anyway my question is about cracking the purchase procedure itself:
              1. The user initiates the purchase (clicks an item in the shop)
              2. The game calls a function in StoreKit in order to start the transaction ( addPayment: (SKPayment *) )
              3. StoreKit displays a confirmation message to the user
              4. The user accepts
              5. StoreKit sends a request to App Store
              6. App store charges the user and returns receipt data to StoreKit. Here somewhere the cracking software cheats the StoreKit and makes it think that everything has gone fine in App Store and the user is charged.
              7. StoreKit calls updatedTransactions of SKPaymentTransactionObserver with the transaction in state SKPaymentTransactionStatePurchased. This way the game understands that the transaction has gone fine and gives the product to the user. Optionally the game can send the transactionReceipt to its server. Having this receipt, the server can on its own check that the purchase has gone fine.
              My problem is that UDK hides somewhere the transactionReceipt I'm not UnrealEngine licensee so I can't fix that myself...
              Originally posted by Solid Snake View Post
              People with jail broken phones could potentially look at the data, but your average player isnt really going to do that.
              It is correct that people who are not willing to pay will anyway not pay . If my game was singleplayer, well, I wouldn't worry so much - let them play . Apparently for my case, we are trying to build a community via leaderboards and other social interactions. People who buy items will make better scores. I don't want cheaters in the top of my leaderboard.
              Originally posted by Solid Snake View Post
              Otherwise, most of the time the microtransaction stuff is still done server side.
              Does your server autonomously validate the transaction by verifying the store receipt? That's what I want to do.

              Thanks

              Comment

              Working...
              X