Topic 1 Posts


It's not worth securing in-app purchases

Few years ago, while working on one iOS app we had a problem with in-app piracy. At that time there were and now there are several ways of keeping track of users' purchases on your own server and validate each of them to stop pirates of using your app's unlockable features with their faked unauthorized purchases.


But I remember it was a hassle to build such a validating system. And I also remember reading about even bigger companies discontining their own billing systems like that because it was not worth the hassle for dealing and supporting 95% fair users and their purchases because of 5% scammers.

In order to hack in-apps, your iPhone has to be jailbroken. Then you can use a manual like this to get an in-app for free. The latest info on the amount of jailbroken iPhones I found was from the end of 2016 with only 0.4% of iOS devices being jailbroken which might have the potential to hack anything. From what I’ve read and heard over the years that percentage may be even lower now as less and less people jailbreak, because the main reason for it (I can confirm myself) was to get new functionality. And with the latest few iOS updates we got so much new stuff, there are almost no reasons left to jailbreak, at least not for the new features.

iOS devs still can pass receipts and validate them on servers, but what would be the main reason for it? Receipts are passed and then matched for non-consumable purchases: the user unlocked a part of the functionality once and then when the user restores it, his receipt is matched with the receipt stored on the server to avoid unauthorized functionality unlocks. So if someone can fake unlocking non-consumables you either can build a wall around it... or just give it away. If a person tries to hack your purchase - he's definitely not going to buy it, so just embrace it! Replace a mandatory in-app with free with ads model, or offer even more compelling features in your app and introduce non-hackable subscriptions!

If you sell consumables - even better, there's even less reason to secure them. A person who buys a consumable uses it right away, essentially not leaving much to himself anyway.

As for Android - that’s another story. On Android I found at least one, two and three articles on ways how to hack in apps even without root (analog of jailbreaking).