Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.

Verified Transactions

Discussion in 'Unity Analytics' started by andymads, Apr 16, 2015.

  1. andymads


    Jun 16, 2011
    I've been doing my own verification of purchases in an iOS app that doesn't use Unity Analytics. All I'm doing is once a purchase has completed I'm sending the receipt to Apple for verification and then using analytics to collate the results - so there's no functionality to stop a purchase, I'm just monitoring results.

    What I'm seeing is that all but 1 of the nearly 10,000 purchases are valid, yet over 60% are for a product which is not ours, namely com.zeptolab.ctrbonus.superpower1, which apparently is down to a popular IAP hack.

    Does Unity Analytics assume that all verified transactions are genuine?
  2. kentunity


    Unity Technologies

    Sep 16, 2014
    We do not assume all receipts that Apple and Google say that are verified are genuine. We have protection against replay attacks with a check if the transaction happened within an hour. We currently don't have a check to verify the receipt matches the bundle Id of the project.

    The 1hour verification check will protect us from the popular "com.zeptolab.ctrbonus.superpower1" IAP hack because it's using an old receipt.
    andymads likes this.