Apple iOS in-app purchase hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks

Today I am going to list of various mechanism used by hackers to overcome our in-app purchase utility of one of our top apps in books section called “Story Time for Kids”

As you are aware apple stores each purchase receipts and allows developers an interface to verify each receipt before delivering the purchases (unlocking). Recently many jailbreakers have tried to hack into our system and unlock in-app content for free. I will discuss some very popular mechanisms and how we’ve tried to solve them:

1. Change the DNS of the iPhone. Hackers changed the DNS of the device and instead of redirecting the verification of purchase receipts to Apple servers, they could redirect it to their own custom server and send a custom verification. This way the app would get unlocked and no one would ever come to know. However, the good news is that Apple has patched this and now its kinda safe.

2. Change of DNS of the server side verification. If your in app purchase verifies the receipt via a server, then hackers could change the url via a firewall / middle-ware in between which could return a positive purchase of the unlockable item. There are many apps in Cydia who can do this and you as a owner will never come to know that the purchase was unlocked. Unfortunately there is no out of the box solution except your app keeps checking periodically with an online database if it was purchased or not.

3. Change of Product ID – Spoofing : Many jailbroken iOS devices just change the outgoing purchase receipt to an existing valid purchase receipt. (There are background apps to do this). Our server will then send this to Apple server for verification and guess what, apple will send a confirmation! A sheer good trick. But we’re smarter. Before sending the receipt for verification, unpack it (base64_decode) and extract out the product_id from it. Then check if the product_id is your genuine product or not. If not, just cancel it out. The most famous spoofed product id is :


If you encounter any product ID apart from your own, then simply block them. They are not genuine at all!


68 thoughts on “Apple iOS in-app purchase hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks

  1. Mikko Oksalahti

    Thanks for this article. Our server just received a bunch of those fake receipts and we were wondering where they come from.

  2. Pascal

    Same here, just noticed a bunch of the superpower1 products that our server logged and found your blog via Google. Thanks!

  3. article

    Awesome website you have here but I was wanting to know if you knew of any forums that cover the same topics discussed in this article?
    I’d really love to be a part of community where I can get responses from other experienced people that share the same interest. If you have any suggestions, please let me know. Thanks!

  4. Anonymous

    Whats up! I just would like to give an enormous thumbs
    up for the great information you could have right here on this post.
    I will be coming back to your blog for extra soon.

  5. Andrey

    Great article. Thanks.
    Indeed, we received unconfirmed in-app purchase requests from some users before. After including additional check with our servers it was solved.
    As for
    There is no need to make base64 decoding of received from the device message.
    Possible to confirmation from Apple on your servers, then compare ‘product id’ item with existing product IDs.

  6. Franklin

    You said that Apple checks whether the receipt’s product_id matches a valid one, but clearly ‘com.zeptolab.ctrbonus.superpower1’ isn’t a valid IAP (for my App at least). Apple verification still says that a receipt with ‘com.zeptolab.ctrbonus.superpower1’ is valid though. This makes me think 2 things:

    1) Is apple not checking product_id?
    2) Why can’t the hacker just use one of my own valid IAP product_ids instead of the zeptolab one?


  7. Ben

    To Franklin’s point, Apple allows for a shared key for some transactions. Why don’t they validate against it for all server validations? So silly. Just put in code to protect my app from “superpower1”. Now I think I’m going to go through my user database and see if I can see who’s been stealing all this time…

  8. Savannah

    The earth of Mafia Wars has virtually blossomed into a massive platform in which millions of people
    from unique nations play the game every day. While
    this type of behavior is not condoned in the internet
    gaming world, it is highly effective if you want maximum profit in minimum time.
    So what can we do to move through the pain and anguish of
    being betrayed by our spouse.

  9. used drum

    Nice weblog right here! Additionally your website a lot up very fast!
    What host are you the use of? Can I get your associate link
    to your host? I wish my site loaded up as fast as yours lol

  10. pdf converter adobe

    I am really inspired together with your writing skills ass well as with the layyout to your blog.
    Is that this a paid subject matter or did you customize itt your self?
    Anyway stay up the excellent quality writing, it iss uncommon to see a nice weblog like thiss one nowadays..


    Stejne tak pokud hledátе vážný vztah a lásku, na Seznamce
    buddete také úspešní. Svoje fantazie mužete prezentovat
    anonymne ɑ zcela uvolnene, nikdo vás jiste soudit nebude.
    Milf vám umožní zkusit všе,o cem jste dosud snili, ale stydli jste se tߋ udelat.

  12. source

    4 which supports Flash games among other types of games. Balanced in the hand with its perfect size and solidly built layout,
    the LG Optimus will definitely fit into your pocket both in size and price.
    It is available in Dark Grey, Silver White, Green, Blue, and Orange colours.

  13. free advertising websites

    I was recommended this website by way of my cousin. I am not certain whether this submit is written via him as nobody else recognise such specified approximately my problem.
    You’re wonderful! Thanks!

  14. Margarette

    Useful information. Fortunate me I discovered your website unintentionally, and I
    am surprised why this accident didn’t came about earlier!
    I bookmarked it.

  15. Google

    I’ve been browsing on-line more than 3 hours lately, but I by no
    means discovered any attention-grabbing article like yours.
    It’s pretty value sufficient for me. In my opinion, if
    all webmasters and bloggers made good content material as you did, the
    internet will likely be a lot more helpful than ever before.

  16. Bella

    Hi there would you mind letting me know which webhost you’re utilizing?
    I’ve loaded your blog in 3 completely different browsers and I must say this blog
    loads a lot quicker then most. Can you recommend a good hosting provider at a honest price?

    Thanks a lot, I appreciate it!

  17. dressup

    It is not my first time to pay a visit this
    site, i am browsing this web page dailly and take pleasant data from
    here every day.

  18. Evelyne

    Having read this I thought it was really enlightening.
    I appreciate you taking the time and effort to put this short article together.
    I once again find myself personally spending a significant
    amount of time both reading and commenting. But so what,
    it was still worth it!

  19. voyance audiotel

    Dans ce tarot de Marseille, ce bleu es la couleur dominante.
    Cette couleur foncée, de coût nocturne, représente dans cela tarot intégral ceci dont est passif, lunaire.
    Il représente allocation ces tonus obscures de l’âme, ces
    puissances occultes de la nuit. Avec ce tonalité gelé,
    est représenté ceci dissimulé, la solde de l’anima.
    Cela vermeil est présent dans chacune des cartes du tarot
    de Marseille. C’est la couleur de l’énergie, des signe de l’animus, du sang,
    de l’conscience qui domine l’disposition. C’est la éducation ésotérique.
    Ce vert est également seul couleur symbolique très importante autocar c’est la
    couleur de la modification après de la renaissance.
    Trouver bizarre dénouement immédiate à votre
    problème cela plus urgent, grâce à un écoute attentive alors
    des révélations fiables.


    To be accurate this Microsoft Dot Net Framework is an excellent collaboration of
    several web alternatives and traditional Microsoft technology.

    3D Skyrocket stands out from other fireworks wallpapers because is uses Open GL
    for the visuals. Dynamic analysis looks at the behavior
    of the application at runtime, and is what is traditionally done in regression testing.


    Selain dalam menyeleksi agen, menghitung sistematika bertaruh juga penting,
    hingga gak membuat anda salah dalam teknis bertaruh dan malah mempersembahkan kerugian materil kepada anda saat berjudi di agen bola online
    seleksian anda. Businesses do not really have to choice whether
    they should be on social media, the question is How Well they should be doing it.
    Perihal ini disebabkan anda mampu merasakan asyiknya bertaruh judi.

  22. source

    ndigt wird diese hervorragende Ausstattung durch einen Full-HD-Videomodus, eine
    integrierte Geotagging-Funktion und zahlreiche intelligente Modi, die dieser Digitalkamera eine geradezu umwerfende Effizienz v.

    For some green hand, it requires more to set up this Hootoo IP camera.
    A Video Graphics Array or VGA camera is an
    obsolete low resolution camera that has been overgrown by the creation of megapixels.


    Apart from making the cellphone look attractive,
    Samsung mobile phone themes reflect the personality of
    the people using the mobile phone. This enables these devices to fulfill the demands, needs and requirements
    of the users more efficiently. It is available with internal memories of 16
    or 32GBs.

  24. Dong

    Hi admin, i found this post on 12 spot in google’s search results.
    You should reduce your bounce rate in order to rank in google.
    This is major ranking factor nowadays. There is
    very handy wp plugin which can help you. Just search in google for:
    Sisonum’s Bounce Plugin

  25. Egpr.Net

    I think that whnat you posted made a bunch of
    sense. However, what aboht this? suplose you were to write a awesome headline?
    I mean, I don’t wish to tell you how to run your website, however suppose you added
    a title to maybe get a person’s attention? I mean Apple iOS in-app purchase hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks
    | Hussain Fakhruddin, India Weblog is a little vanilla.
    You should look aat Yahoo’s front page and note how they create news
    titles to grab people interested. You might try adding a video or a pic or two too grab people interested about what you’ve written.
    Just my opinion, it might make your blog a little livelier.

  26. Lona

    This guide provides a fundamental overview on how
    to use social media for marketing and advertising,
    serving as a social media promoting for dummies manual.

  27. Isabelle

    I comment each time I appreciate a post on a website or if I have something to
    valuable to contribute to the conversation. Usually it’s caused by the fire communicated in the post
    I looked at. And after this article Apple iOS in-app purchase
    hacking – How to prevent specially com.zeptolab.ctrbonus.superpower1 hacks | Hussain Fakhruddin, India Weblog.
    I was actually excited enough to leave a commenta response
    🙂 I do have some questions for you if it’s okay.
    Could it be just me or does it appear like a few of the responses look as if they
    are written by brain dead individuals? 😛 And, if
    you are writing at additional social sites, I would like to
    keep up with you. Would you list all of all your public pages like
    your linkedin profile, Facebook page or twitter feed?

  28. bangla choti

    An interesting discussion is worth comment. I think that you need to publish more about this subject, it might not be a taboo
    subject but generally people don’t speak about these subjects.
    To the next! Cheers!!

  29. porno

    Нello everybody, here every person is shaгing ѕuch experience, thus it’s pleasant to
    read this website, and I used to visit thiѕ webpage every

  30. porn videos

    It’s a pity you don’t haνe a Ԁonate button! I’d definitely donate to this exϲellent blog!
    I guess for now i’ll settⅼe fоr book-marking and
    adding youг RSS feed to my Google account. I look forաarⅾ to brand new updates and will
    share thiѕ blog with my Facebook groᥙp. Talk soon!

  31. free porn

    Pretty ѕeϲtion of content. I just stumbⅼed upon your weƄlog
    and in accession capital tо assert that I acquire actually enjoyed
    account your blog posts. Any աay I will be subscribing to your feeds ɑnd
    even Ι achiᥱvement you accesѕ consistently rapidly.

Leave a Reply

Your email address will not be published. Required fields are marked *