What should be checked for fraud with the IAP validator?
On Google, using the validator itself and checking nothing else seems to be pretty good so far, but for iOS it is near useless. Almost all my iOS transactions are fake.
Right now, i am just validating the bundle id with the validator, but what else should I check that should be good at preventing fraud?
Do you mean that on iOS fraudulent receipts are being counted?
You need to check that the receipt pertains to your application; hacking tools commonly substitute a genuine receipt from a different application that is signed by Apple so will pass Unity IAP’s integrity check - you should check that the bundle ID in the receipt matches your application.
You need to check what products are owned in the receipt too - you should only grant the user products where the ID is in the receipt as an AppleInAppPurchaseReceipt.
I am already checking the products from this
var result = validator.Validate (args.purchasedProduct.receipt);
Should I be checking another time from the receipt data returned by
AppleReceipt receipt = new AppleValidator(AppleTangle.Data()).Validate(receiptData);
var result = validator.Validate (args.purchasedProduct.receipt);
foreach (IPurchaseReceipt productReceipt in result) {
productId = productReceipt.productID;
// this just checks to see if productid matches my ids thats being offered
int[] found = CheckIfProductIdIsGood (productId);
//Aconsumableproducthasbeenpurchasedbythisuser.
if (found[0] > -1) {
#if UNITY_IOS
//GetareferencetoIAppleConfigurationduringIAPinitialization.
var appleConfig = builder.Configure<IAppleConfiguration>();
var receiptData = System.Convert.FromBase64String(appleConfig.appReceipt);
AppleReceipt receipt = new AppleValidator(AppleTangle.Data()).Validate(receiptData);
if (receipt.bundleID != "com.gameid.gameid") {
MyAnalytics.LogFail ("FAKEPURCHASE:"+receipt.bundleID);
throw new IAPSecurityException ();
}
#endif
UnlockItem (found)
I am adding this additional block to check product id from receipt.inAppPurchaseReceipts
How do you know these purchases are occurring on iOS? Are you using Unity Analytics and looking at your revenue data or using some other Analytics provider?
Yes, unity analytics. I am looking at the data I log when the item is granted to the user (passing all the validation code as shown above). The log is in unity analytics, but there is no record of transaction in apple itunes.
Is it possible this is test data and not fraud? Typically we should categorize test data as unverified, but there is a bug (which we’re working on a fix for) where sandbox tests show up as verified. Does this seem at all possible in your case?
It seems like you’ve got a weird situation going on that we would need to look into more. Can you fill out a support ticket with your appid so we can take a look? Thanks!