Monthly Archives: April 2013

Apple iOS in-app purchase hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks

Today I am going to list of various mechanism used by hackers to overcome our in-app purchase utility of one of our top apps in books section called “Story Time for Kids”

As you are aware apple stores each purchase receipts and allows developers an interface to verify each receipt before delivering the purchases (unlocking). Recently many jailbreakers have tried to hack into our system and unlock in-app content for free. I will discuss some very popular mechanisms and how we’ve tried to solve them:

1. Change the DNS of the iPhone. Hackers changed the DNS of the device and instead of redirecting the verification of purchase receipts to Apple servers, they could redirect it to their own custom server and send a custom verification. This way the app would get unlocked and no one would ever come to know. However, the good news is that Apple has patched this and now its kinda safe.

2. Change of DNS of the server side verification. If your in app purchase verifies the receipt via a server, then hackers could change the url via a firewall / middle-ware in between which could return a positive purchase of the unlockable item. There are many apps in Cydia who can do this and you as a owner will never come to know that the purchase was unlocked. Unfortunately there is no out of the box solution except your app keeps checking periodically with an online database if it was purchased or not.

3. Change of Product ID – Spoofing : Many jailbroken iOS devices just change the outgoing purchase receipt to an existing valid purchase receipt. (There are background apps to do this). Our server will then send this to Apple server for verification and guess what, apple will send a confirmation! A sheer good trick. But we’re smarter. Before sending the receipt for verification, unpack it (base64_decode) and extract out the product_id from it. Then check if the product_id is your genuine product or not. If not, just cancel it out. The most famous spoofed product id is :


If you encounter any product ID apart from your own, then simply block them. They are not genuine at all!