Apple iOS in-app purchase hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks

Today I am going to list of various mechanism used by hackers to overcome our in-app purchase utility of one of our top apps in books section called “Story Time for Kids”

As you are aware apple stores each purchase receipts and allows developers an interface to verify each receipt before delivering the purchases (unlocking). Recently many jailbreakers have tried to hack into our system and unlock in-app content for free. I will discuss some very popular mechanisms and how we’ve tried to solve them:

1. Change the DNS of the iPhone. Hackers changed the DNS of the device and instead of redirecting the verification of purchase receipts to Apple servers, they could redirect it to their own custom server and send a custom verification. This way the app would get unlocked and no one would ever come to know. However, the good news is that Apple has patched this and now its kinda safe.

2. Change of DNS of the server side verification. If your in app purchase verifies the receipt via a server, then hackers could change the url via a firewall / middle-ware in between which could return a positive purchase of the unlockable item. There are many apps in Cydia who can do this and you as a owner will never come to know that the purchase was unlocked. Unfortunately there is no out of the box solution except your app keeps checking periodically with an online database if it was purchased or not.

3. Change of Product ID – Spoofing : Many jailbroken iOS devices just change the outgoing purchase receipt to an existing valid purchase receipt. (There are background apps to do this). Our server will then send this to Apple server for verification and guess what, apple will send a confirmation! A sheer good trick. But we’re smarter. Before sending the receipt for verification, unpack it (base64_decode) and extract out the product_id from it. Then check if the product_id is your genuine product or not. If not, just cancel it out. The most famous spoofed product id is :

com.zeptolab.ctrbonus.superpower1

If you encounter any product ID apart from your own, then simply block them. They are not genuine at all!

 

68 thoughts on “Apple iOS in-app purchase hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks

  1. porn

    Have yoս ever considered crеating an ebook or guest authoring on other sites?
    I have a blog based upon on the same ideas you discuss and would really like to have you
    share some stories/information. I know my subscribers would enjoy yоur work.
    If you’re evеn remotely interested, feel free to shօоt me an e
    mail.

  2. sex videos

    Hi! I know this is ҝinda off toⲣic but I was wondering
    if you knew where I could get a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having
    trouble finding one? Thаnks a lot!

  3. คลิปโป

    We stumbled оver here coming from a different
    page and thought I might ɑs wеll check things out.
    I like what Ⅰ see sօ now i’m following you. Look forward to looking into your web page yet again.

  4. porno

    Ι pay a viѕit daily a few web pages and wеbsites to reаd articles or reviᥱws, however
    this webpage offers feature baseⅾ writing.

  5. porn tube

    ᴡonderful points altogether, ʏօᥙ simрly
    received a new reader. What would yоu sսցgest
    in regards to your put up thɑt you mаde a few days in the past?
    Any positive?

  6. Maribeth

    the lumps are difficult to get out when you are hand mixing. You could defiliteny try melting the oil first since you wont be mixing it hard enough to make the oil foam up (unless you have Hulk arms 🙂

  7. http://www./

    Furkan Yücesoy / 08 Eylül 2011sonunakadar sorunsuz izledim harika sizde neden sorun oluyor ? murat abi değiştirin bence ya başka yapın video başkalarınınkiler açılmıyormuş anlamadım ki bende sorun vermio hiçCevaplamak için giriş yapın

  8. http://www./

    J’ai utilisé OpenOffice pendant longtemps et je dois dire qu’il a plusieurs bugs et quelques limitations sur le bureau. Malheureusement, dans de nombreux cas, les programmes sont mieux payés. Et puis si c’est une étude faite par beaucoup de gens pensent que les coûts de logiciels peut avoir une forte influence….Pour notre étude, nous avons choisi StudioProf associés LLL Software, que, comparativement à un coût pas trop nous a libérés de beaucoup de problèmes.

Leave a Reply

Your email address will not be published. Required fields are marked *