Android IAP possible users hacking purchases somehow?


We recently setup a MySQL database to have our game log stuff, such as when the user makes a purchase: user id, purchased item name, and price along with a timestamp.

We tested it with our test google accounts and it seemed to work fine, every purchase yields a single log entry on the database.

We released a new update yesterday the logs are very suspicious… Same player id, makes almost 10 purchases within a 10 seconds timeframe.

We’re using Stans Assets: AndroidNative and IOSNative plugins to handle IAP

Any idea what’s going on? how could that possibly happen? Is there any way Android users could hack a purchase so they could make multiple ones with the same price or something?

Can you think of something useful we could log to narrow down the issue?

Any thoughts on how to approach this is appreciated.

Forums Crosslink.

Well, i once worked in a company and ive implemented the payment system for Android and iOS for our Unity games (only client side). We had a dedicated payment server where we actually verified the purchases. As far as i remember for iOS, Apple does provide an API so the payment server can simply forward the receipt and signature we get from the user device to Apple to have it verified.

For Android we could do the verification outselfs on the payment server. When you create a google developer account you should have a public / private key pair. The receipt the user device receives is signed with your private key by google. So all you need to do on the payment server is using an RSA module (OpenSSL has one that can be used in php as far as i remember) to check the signature.

We had a lot of trouble on our payment server because the backend API was horrible set up and parts of the base64 encoded signature got messed up (mostly the equal signs).

I don’t have this project at hand so this information is purely based on what i could remember. That project was about two years ago. Maybe something has changed in the way google handles IAP. Can’t remember exactly which IAP plugin we used, but we tried several. I think in the end we used Prime31 as it had support for both, iOS and Android.

The payment servers actually created a payment ID which was passed to the user device. This ID was passed as custom data to Google / Apple so it was included in the receipt so we could easily match a payment with the user.

So as long as you do the verification on your server and the “stuff” the user buys is actually unlocked on your server and not just on the device, you should be pretty safe.