Fighting In-App Purchase Hacks

Fighting In-App Purchase HacksCombating fraudulent game exploitation

● Open Source Company● 400 Million Installs via 4,000+ games● Data Sharing Network

Games Unite

About Us

Developers should fight

hacking in their games.

Fight Back

Single player games build

interpersonal competition.

Why?

Word of mouth is the best game

sharing experience.

Why?

Unhacked game results build

enthusiasm for playing.

Why?

Necessary for keeping accurate

analytics.

Why?

And Most Importantly,

Why?

Hacked games mean lost

money!

Why?

File Overwriting

How Games Get Hacked 1

Hackers search games for important files and variables

containing the current game score, currency

balance, and level progression.

File Overwriting

They change these values to their

benefit.

File Overwriting

0101011101100101010101011101101111000011101100011010101111000101101010101010101011110

Fake In-Game Purchases

How Games Get Hacked 2

This is done by faking communications with

the game server.

Fake In-Game Purchases

Certain programs that make this possible are

found online.

More details on IAP hacks here

Fake In-Game Purchases

Encrypt your data.

Preventing Hacking 1

This way, a file that contains the balance

of 225 coins is difficult to find and edit.

Preventing Hacking 1

SOOMLA does this for you when you

use SOOMLA Store in your game!

Preventing Hacking 1

Use a dedicated server to protect in-

app purchases

Preventing Hacking 2

When a client buys something from an

app they are sent an electronic receipt.

Preventing Hacking 2

The receipt is usually validated

with the App Store or Google Play to

make sure the purchase is ok.

Preventing Hacking 2

Hacking software intercepts requests to the App Store or

Google Play and emulates their

behavior.

Preventing Hacking 2

So, it is best to use a private dedicated server to do the

verifying.

Preventing Hacking 2

This makes it much harder for hackers.

Preventing Hacking 2

SOOMLA also provides this receipt

validation server!

Preventing Hacking 2

After verifying, take an extra step and check for

suspicious activity.

Preventing Hacking 2

Compare the transactions from

Google and Apple to the transactions that happened in a game.

Preventing Hacking 2

Find if any purchases appear in a game’s

log but are not accounted for with a

receipt.

Preventing Hacking 2

The users with those purchases are hackers.

Preventing Hacking 2

A few other things to look for:

Fraud Indicators

Multiple purchases with little or no

time between them

Fraud Indicators

1

Economy ExhaustionPurchases of all

virtual items in an economy in a short

period of time.

Fraud Indicators

2

Over $50 worth of purchases by a given user in a single day

Fraud Indicators

3

Balance changes greater than the

largest amount of coins available for

purchase

Fraud Indicators

4

What happens after identifying hackers?

Fix your data

Correct your analytics data to remove

instances of hackers.

Punish the Hackers

Ban the hackers from your game.

Remove their excess virtual goodies.

Punish the Hackers

Increase the difficulty of the game for the hackers

Disable the hackers from sharing their scores

Punish the Hackers

“Brick the Game”Inform the hackers that they are blocked from the game

because they were identified as hackers.

Encourage them to play fair by resetting the game.

Further Reading

● iOS Receipt Validation (SOOMLA Blog

● Android Receipt Validation (SOOMLA Blog)

● Setting up Google Play Purchase Verification

Games Unite!