I’m implementing In app purchases in my game with Google Play Services, but through my research on how to do it, i noticed that’re a lot of videos and tutorials that claim to know ways on how to cheat the IAP and get purchases for free, what i want to know is, what are the basic coding procedures to avoid this sort of cheat to work on my app, if there’s any.
The basic rules are pretty simple:
- Don’t trust the client, ever
That means basically everything that happens on the users device can be compromised in some way. They can even read and change anything in your code fairly easy. So if you really want to be on the safe side you would:
- need to run a server that is available 24/7
- not include any unlockable / purchasable content inside the game itself. Instead everything that should be unlockable would be stored on the server as AssetBundles.
- If a player purchases something you will receive a receipt on the users device. You would simply pass that receipt on to your server where you can verify it. Google signs that receipt with your personal key so it’s impossible to fake such a receipt.
- Verification can be done either on your server by checking the signature or by using the Google API where you can verify that purchase,
- Once verified that the purchase is valid you can “unlock” that item / content for the user. You either can store the state for that user on your server, or simply return the asset / bundle as result of the client’s request. You also could generate a dynamic URL from where your App can download the new content, however such an URL should expire after some time.
This ensures that a user who hasn’t bought an item gets access to it by “hacking” your game. Of course this does not prevent a user who has bought an item to illegally copy the item from their local storage and share it with others.
A good example of such an implementation is the Simpsons game Tapped Out. The whole game uses tons of small asset packages which are downloaded on demand. That game wasn’t made with Unity though this concept works in general.
In the company i worked for some time we even had game content servers and seperate payment servers and they where talking to each other internally. The payment servers handle everything that involves real money. They stored every transaction, even cancelled ones so if there are any complains from users everything can be tracked down. Our payment system generated a special transaction ID which was first send to the user. Google allows you to add a custom identifier for a transaction so you can match it with your database. In case something goes wrong (bad internet connection or something else), every transaction can be revalidated “manually”.
It’s always a matter of how likely it is that people try to “hack” your game and how much efford you want to put into preventing it. In general the good guys always lag behind. If you don’t want your content to be stolen, don’t publish it, at all ^^.
That’s a huge, vague question… The best answers you’re likely to get on here would be links people find by googling, which you can do yourself.
If you’re concerned with a specific vulnerability, then post a question to that effect, and maybe we can help more.