Topic 2 Posts

server

It's not worth securing in-app purchases

inapps, validation, server |

Few years ago, while working on one iOS app we had a problem with in-app piracy. At that time there were and now there are several ways of keeping track of users' purchases on your own server and validate each of them to stop pirates of using your app's unlockable features with their faked unauthorized purchases.

In-apps

But I remember it was a hassle to build such a validating system. And I also remember reading about even bigger companies discontining their own billing systems like that because it was not worth the hassle for dealing and supporting 95% fair users and their purchases because of 5% scammers.

In order to hack in-apps, your iPhone has to be jailbroken. Then you can use a manual like this to get an in-app for free. The latest info on the amount of jailbroken iPhones I found was from the end of 2016 with only 0.4% of iOS devices being jailbroken which might have the potential to hack anything. From what I’ve read and heard over the years that percentage may be even lower now as less and less people jailbreak, because the main reason for it (I can confirm myself) was to get new functionality. And with the latest few iOS updates we got so much new stuff, there are almost no reasons left to jailbreak, at least not for the new features.

iOS devs still can pass receipts and validate them on servers, but what would be the main reason for it? Receipts are passed and then matched for non-consumable purchases: the user unlocked a part of the functionality once and then when the user restores it, his receipt is matched with the receipt stored on the server to avoid unauthorized functionality unlocks. So if someone can fake unlocking non-consumables you either can build a wall around it... or just give it away. If a person tries to hack your purchase - he's definitely not going to buy it, so just embrace it! Replace a mandatory in-app with free with ads model, or offer even more compelling features in your app and introduce non-hackable subscriptions!

If you sell consumables - even better, there's even less reason to secure them. A person who buys a consumable uses it right away, essentially not leaving much to himself anyway.

As for Android - that’s another story. On Android I found at least one, two and three articles on ways how to hack in apps even without root (analog of jailbreaking).

Setting up Fastlane on a remote server

fastlane, remote, server, issues |

In the previous article I went through the steps on how to setup Fastlane on your Mac, but what if you would want to have a remote machine doing all the heavy lifting, getting loud and hot and keeping your computer cool and quiet while building your project? Well you can do that.

First ssh into your remote machine, then follow my manual on how to setup Fastlane on your computer and go through all the steps but with a remote machine.

What's the point of this article you would ask? It's mostly to reiterate on the issues you might face while running fastlane beta on the remote server. For example there is a high chance that you might encounter Fastlane's errSecInternalComponent error which is actually pretty easily resolvable by going through the archive and export routine and unlocking keychain via ssh. All the details are in this link.