Thursday, December 13, 2012

WhatZOdd - Securing purchases

Today, We got our first dose of hacked App Store purchase in WhatZOdd.

In App purchases are built in iOS device by sending the request of purchase to App Store along with purchase details. Appstore verifies the payment transaction and authorizes it. App Store sends back the purchase details among which is the reciept and transaction identifier.

Now, these is this  iAP cracker built by "urus" which is run on (jail broken) iOS device which  intercepts the AppStore request and sends back fake receipts back to the game.   The game on receiving these receipts assumes that payment transaction went through and authorizes the payment.

Game on client device can verify this receipt for its validity by checking with AppStore but again this appCraker intercepts the request and send the valid receipt message.    

This is quiet a  challenge for games running on client only model.

But, since WhatZOdd is a server model, receipts are received by the server and validated at server-side. This circumvents the crackers' interception of AppStore requests.

We also caught the culprits making these purchases and disabled their account.  The dubious purchases are easy to catch by looking at their identifier and making offline validity of receipt at AppStore.


Also created a twitter account for small tweets experiences -
 https://twitter.com/kapilsiddharth1

No comments:

Post a Comment