[Closed] What to validate with the validator?

What should be checked for fraud with the IAP validator?

On Google, using the validator itself and checking nothing else seems to be pretty good so far, but for iOS it is near useless. Almost all my iOS transactions are fake.

Right now, i am just validating the bundle id with the validator, but what else should I check that should be good at preventing fraud?

Do you mean that on iOS fraudulent receipts are being counted?

You need to check that the receipt pertains to your application; hacking tools commonly substitute a genuine receipt from a different application that is signed by Apple so will pass Unity IAP’s integrity check - you should check that the bundle ID in the receipt matches your application.

I am already checking the bundle id, and it matches! but no transaction found on apple.

I have this for bundle id check, but it doesn’t go in the condition… meaning the bundle matches.

if (receipt.bundleID != “com.myapp.myappnamel”) {
MyAnalytics.LogFail (“FAKEPURCHASE:”+receipt.bundleID);
throw new IAPSecurityException ();
}

You need to check what products are owned in the receipt too - you should only grant the user products where the ID is in the receipt as an AppleInAppPurchaseReceipt.

I am already checking the products from this
var result = validator.Validate (args.purchasedProduct.receipt);

Should I be checking another time from the receipt data returned by
AppleReceipt receipt = new AppleValidator(AppleTangle.Data()).Validate(receiptData);

What does your product check code look like? Do you ensure that only products in that ‘result’ are granted to the user?

If you can find a receipt that validates when it shouldn’t, eg by logging it to a server, please DM it to me.

 var result = validator.Validate (args.purchasedProduct.receipt);
 foreach (IPurchaseReceipt productReceipt in result) {
    productId = productReceipt.productID;
    // this just checks to see if productid matches my ids thats being offered
    int[] found = CheckIfProductIdIsGood (productId);

 //Aconsumableproducthasbeenpurchasedbythisuser.
 if (found[0] > -1) {
    #if UNITY_IOS
   //GetareferencetoIAppleConfigurationduringIAPinitialization.
    var appleConfig = builder.Configure<IAppleConfiguration>();
    var receiptData = System.Convert.FromBase64String(appleConfig.appReceipt);
    AppleReceipt receipt = new AppleValidator(AppleTangle.Data()).Validate(receiptData);
    if (receipt.bundleID != "com.gameid.gameid") {
     MyAnalytics.LogFail ("FAKEPURCHASE:"+receipt.bundleID);
     throw new IAPSecurityException ();
    }
   #endif
   UnlockItem (found)

I am adding this additional block to check product id from receipt.inAppPurchaseReceipts

foreach (AppleInAppPurchaseReceipt productReceipt in receipt.inAppPurchaseReceipts) {
   int[] findProd = CheckIfProductIdIsGood (productReceipt.productIdentifier);
   if (findProd [0] > -1) {
      UnlockItem (findProd [0], findProd [1]);
   } else {
      MyAnalytics.LogFail ("InvalidReceipt:" + productReceipt.productIdentifier);
    }
}

How do you know these purchases are occurring on iOS? Are you using Unity Analytics and looking at your revenue data or using some other Analytics provider?

Yes, unity analytics. I am looking at the data I log when the item is granted to the user (passing all the validation code as shown above). The log is in unity analytics, but there is no record of transaction in apple itunes.

Is Unity Analytics marking it as verified or unverified revenue?

They are verified.

@mrm83_1 ,

Is it possible this is test data and not fraud? Typically we should categorize test data as unverified, but there is a bug (which we’re working on a fix for) where sandbox tests show up as verified. Does this seem at all possible in your case?

No it is not test data.

My most recent data is still invalid. Verified revenue is higher than what I see in itunes connect.

Hi @mrm83_1 ,

It seems like you’ve got a weird situation going on that we would need to look into more. Can you fill out a support ticket with your appid so we can take a look? Thanks!