Verified Transactions

andymads · Apr 16, 2015

I've been doing my own verification of purchases in an iOS app that doesn't use Unity Analytics. All I'm doing is once a purchase has completed I'm sending the receipt to Apple for verification and then using analytics to collate the results - so there's no functionality to stop a purchase, I'm just monitoring results.

What I'm seeing is that all but 1 of the nearly 10,000 purchases are valid, yet over 60% are for a product which is not ours, namely com.zeptolab.ctrbonus.superpower1, which apparently is down to a popular IAP hack.

Does Unity Analytics assume that all verified transactions are genuine?

kentunity · Apr 16, 2015

andymads said: ↑

I've been doing my own verification of purchases in an iOS app that doesn't use Unity Analytics. All I'm doing is once a purchase has completed I'm sending the receipt to Apple for verification and then using analytics to collate the results - so there's no functionality to stop a purchase, I'm just monitoring results.

What I'm seeing is that all but 1 of the nearly 10,000 purchases are valid, yet over 60% are for a product which is not ours, namely com.zeptolab.ctrbonus.superpower1, which apparently is down to a popular IAP hack.

Does Unity Analytics assume that all verified transactions are genuine?
Click to expand...

We do not assume all receipts that Apple and Google say that are verified are genuine. We have protection against replay attacks with a check if the transaction happened within an hour. We currently don't have a check to verify the receipt matches the bundle Id of the project.

The 1hour verification check will protect us from the popular "com.zeptolab.ctrbonus.superpower1" IAP hack because it's using an old receipt.

Search Unity

Verified Transactions

andymads

kentunity

Unity Technologies

Search Unity

Unity ID

Useful Searches

Verified Transactions

andymads

kentunity

Unity Technologies