Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

[Closed] What to validate with the validator?

Discussion in 'Unity IAP' started by mrm83, Apr 30, 2016.

Thread Status:
Not open for further replies.
  1. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    What should be checked for fraud with the IAP validator?

    On Google, using the validator itself and checking nothing else seems to be pretty good so far, but for iOS it is near useless. Almost all my iOS transactions are fake.

    Right now, i am just validating the bundle id with the validator, but what else should I check that should be good at preventing fraud?
     
  2. Banderous

    Banderous

    Joined:
    Dec 25, 2011
    Posts:
    669
    Do you mean that on iOS fraudulent receipts are being counted?

    You need to check that the receipt pertains to your application; hacking tools commonly substitute a genuine receipt from a different application that is signed by Apple so will pass Unity IAP's integrity check - you should check that the bundle ID in the receipt matches your application.
     
  3. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    I am already checking the bundle id, and it matches! but no transaction found on apple.

    I have this for bundle id check, but it doesn't go in the condition.. meaning the bundle matches.

    if (receipt.bundleID != "com.myapp.myappnamel") {
    MyAnalytics.LogFail ("FAKEPURCHASE:"+receipt.bundleID);
    throw new IAPSecurityException ();
    }
     
  4. Banderous

    Banderous

    Joined:
    Dec 25, 2011
    Posts:
    669
    You need to check what products are owned in the receipt too - you should only grant the user products where the ID is in the receipt as an AppleInAppPurchaseReceipt.
     
  5. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    I am already checking the products from this
    var result = validator.Validate (args.purchasedProduct.receipt);

    Should I be checking another time from the receipt data returned by
    AppleReceipt receipt = new AppleValidator(AppleTangle.Data()).Validate(receiptData);
     
  6. Banderous

    Banderous

    Joined:
    Dec 25, 2011
    Posts:
    669
    What does your product check code look like? Do you ensure that only products in that 'result' are granted to the user?

    If you can find a receipt that validates when it shouldn't, eg by logging it to a server, please DM it to me.
     
  7. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    Code (csharp):
    1.  
    2.  var result = validator.Validate (args.purchasedProduct.receipt);
    3.  foreach (IPurchaseReceipt productReceipt in result) {
    4.     productId = productReceipt.productID;
    5.     // this just checks to see if productid matches my ids thats being offered
    6.     int[] found = CheckIfProductIdIsGood (productId);
    7.  
    8.  //Aconsumableproducthasbeenpurchasedbythisuser.
    9.  if (found[0] > -1) {
    10.     #if UNITY_IOS
    11.    //GetareferencetoIAppleConfigurationduringIAPinitialization.
    12.     var appleConfig = builder.Configure<IAppleConfiguration>();
    13.     var receiptData = System.Convert.FromBase64String(appleConfig.appReceipt);
    14.     AppleReceipt receipt = new AppleValidator(AppleTangle.Data()).Validate(receiptData);
    15.     if (receipt.bundleID != "com.gameid.gameid") {
    16.      MyAnalytics.LogFail ("FAKEPURCHASE:"+receipt.bundleID);
    17.      throw new IAPSecurityException ();
    18.     }
    19.    #endif
    20.    UnlockItem (found)
    21.  
    I am adding this additional block to check product id from receipt.inAppPurchaseReceipts
    Code (csharp):
    1.  
    2. foreach (AppleInAppPurchaseReceipt productReceipt in receipt.inAppPurchaseReceipts) {
    3.    int[] findProd = CheckIfProductIdIsGood (productReceipt.productIdentifier);
    4.    if (findProd [0] > -1) {
    5.       UnlockItem (findProd [0], findProd [1]);
    6.    } else {
    7.       MyAnalytics.LogFail ("InvalidReceipt:" + productReceipt.productIdentifier);
    8.     }
    9. }
    10.  
     
  8. Banderous

    Banderous

    Joined:
    Dec 25, 2011
    Posts:
    669
    How do you know these purchases are occurring on iOS? Are you using Unity Analytics and looking at your revenue data or using some other Analytics provider?
     
  9. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    Yes, unity analytics. I am looking at the data I log when the item is granted to the user (passing all the validation code as shown above). The log is in unity analytics, but there is no record of transaction in apple itunes.
     
  10. Banderous

    Banderous

    Joined:
    Dec 25, 2011
    Posts:
    669
    Is Unity Analytics marking it as verified or unverified revenue?
     
  11. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    They are verified.
     
  12. erika_d

    erika_d

    Joined:
    Jan 20, 2016
    Posts:
    413
    @mrm83,

    Is it possible this is test data and not fraud? Typically we should categorize test data as unverified, but there is a bug (which we're working on a fix for) where sandbox tests show up as verified. Does this seem at all possible in your case?
     
  13. mrm83

    mrm83

    Joined:
    Nov 29, 2014
    Posts:
    345
    No it is not test data.

    My most recent data is still invalid. Verified revenue is higher than what I see in itunes connect.
     
  14. erika_d

    erika_d

    Joined:
    Jan 20, 2016
    Posts:
    413
    Hi @mrm83,

    It seems like you've got a weird situation going on that we would need to look into more. Can you fill out a support ticket with your appid so we can take a look? Thanks!
     
Thread Status:
Not open for further replies.