This is for tvOS but the same would apply for iOS too. This concerns in-app purchase subscriptions (auto-renewable).
Apple says:
Warning
Do not call the App Store server verifyReceipt endpoint from your app.
You can't build a trusted connection between a user’s device and the
App Store directly, because you don’t control either end of that
connection, which makes it susceptible to a man-in-the-middle attack.
If I use my own server, how is a man-in-the-middle any harder to do? My server will send the receipt to Apple, get all the internal fields as a response but will eventually have to send a valid/invalid response back to my app that anyone could forge with a man-in-the-middle system.
So why is using an intermediate server so much better?
There isn’t supposed to send back a response with valid/invalid result. You should build your API architecture considering subscription benefits: backend makes a decision what content a client app will have.
For example, you have an app with video library. Some videos are free, other available only with subscription. Backend has to send json where each video has a flag isAvailable (true/false). If a content is available, json will have URL for playing. Otherwise, there isn’t any URLs in JSON for non subscribing user, he would have only option to subscribe.
Only backend validates a subscription receipt and decides how much content user get. Client doesn’t know anything about user’s subscription and depends only on JSON from a server.
If someone tried to hack you, they would get nothing without subscription.
In addition, you can use SSL pinning for protection from Man-in-the-Middle attacks (of course, it’s not ultimate solution, but you can make hacker’s lives much more harder).
Related
I am developing an in app purchase app (auto renewal) and purchase/cancellation should effect on all platform (Android, iOS, Web).
My question is what is best way to keep track the latest status of the purchase. I know there is a way called server to server notification using web hook, but I am thinking can we store the receipt data to server and validate this receipt time to time with iTunes apis?
Does receipt data change over the updates on subscription or it is same even after changing the device?
All I want to validate it at server side, because there is a possibility that user can uninstall the app or not using it.
You can validate the receipts at server end. There are two options.
Enabling server to server notifications.
Store all receipts in your databases and verify it with server for latest update.
You need to use meta data from the receipt under key "latest_receipt" to get the latest update in the subscription.
Below is the link for reference.
https://developer.apple.com/documentation/storekit/in-app_purchase/validating_receipts_with_the_app_store#//apple_ref/doc/uid/TP40010573-CH104-SW1
Initial receipt meta data does not change over the time. You can save initial receipt metadata in your database and use it for further updates like - renewal, cancellation, upgrade or downgrade, refund etc.
Yes, you can, moreover server-to-server validation & observing is most preferable way recommended by Apple. They provided JSON API and accepts your server end-point to post any changes directly to server.
For details read Choosing a Receipt Validation Technique and related in topic.
The common start point is In-App Purchase
I want to validate iOS receipt.
I thought I would send a receipt to the App Store verification server (https://sandbox.itunes.apple.com/verifyReceipt or https://buy.itunes.apple.com/verifyReceipt).
But Apple reference says:
It is not possible to build a trusted connection between a user’s
device and the App Store directly because you don’t control either end
of that connection.
And apple recommend sending a receipt to my server then send it to the App Store verification server to validate.
(https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html#//apple_ref/doc/uid/TP40010573-CH104-SW1)
I don't understand why a connection between a device and the App Store is not trusted regardless of using HTTPS connection.
Your app is running on hardware controlled by the user. They have physical access to it, and can do anything they want with it. The operating system doesn't make it easy for a user to mess with things, but it can be done and hackers do it.
You can validate the iOS receipt on the iOS device. But you cannot be sure that the receipt is actually valid. The user could have hacked the device to make you think the receipt is valid.
I don't understand why a connection between a device and the App Store is not trusted regardless of using HTTPS connection.
HTTPS does not protect you from a hacker who has physical control over iOS device. A hacker can install different SSL keys on the device, allowing it to connect with a different server.
When your app tries to communicate with Apple's server, any network administrator can change it so that some other server is contacted instead of Apple's one. This server would normally be rejected because the SSL key will be untrusted... but if the user controls the device, they can make it trust an invalid SSL key.
Your server, however, is controlled by you. Your customers do not have physical access to it. And therefore your server (hopefully!) cannot be hacked. This means your server can be trusted, unlike the device. When your server establishes an SSL connection to Apple's server, you know you really are talking to Apple's server. Not one that your user installed to bypass in-app purchasing.
So, if the user buys something in your app... you don't want to store the thing being purchased inside the app. You want to store it on a server, and that server only sends the purchased data to the device after it has verified the receipt with Apple's server.
If you don't want to spend money running your own server, then you will simply have to accept that any tech savvy person with a few hours of free time can create fake iOS purchase receipts and convince your device that they are valid.
Apple's iOS in-app purchase system has been attacked in the past by people who have tricked apps into giving them content for free. They have since improved the systems involved to try to limit this kind of thing.
I've read through the StoreKit reference documents available from Apple and I have a general idea of the workflow and the checks that need to be done, and so on. However, there may be security issues that I'm not aware of.
Can anyone provide a full list of theft-attacks that can be attempted against In-App purchase mechanisms, how developers might mistakenly allow these attacks, and what are best practices for preventing them?
These are the attacks that I am aware of, past and present:
Fake App Store
Made famous by the Russian programmer Alexey Borodin, this attack only affects apps that verify purchase receipts directly with the App Store. By modifying the DNS settings of the device, and installing forged security certificates, the verification requests are sent to a fake App Store server, which automatically returns that the purchase is valid. Unsuspecting apps will accept these verification calls and deliver the content to the user.
Commentary
After this exploit was made known in July of 2012, Apple issued updated documentation and advice for developers to ensure this kind of attack would not continue to occur. Borodin has been quoted in various web articles as stating that the "game is over" based on Apple's updated APIs and best practices guidelines.
Prevention
Apple has an entire document dedicated to this loophole here. (EDIT: Link is down, Wayback if you want...although the document covered iOS 5.1 and earlier.) The biggest point they bring up is having your app send the receipt to an external server that you own, and then having your server verify the receipt with Apple. However, if you do send the receipt directly from the app to the App Store, they recommend the following checks:
Check that the SSL certificate used to connect to the App Store server is an EV certificate.
Check that the information returned from validation matches the information in the SKPayment object.
Check that the receipt has a valid signature.
Check that new transactions have a unique transaction ID.
Fake Verification Server
If your app sends the transaction receipts to your server, which then forwards them to the App Store, one option is for the attacker to fake your verification server. By some method (altering the DNS table, changing the URL, etc.) the receipt is sent to an alternate location and a "successful verification" is returned. In this way the receipt never reaches your server and you never have a chance to check it with the App Store.
Commentary
Apparently there are a variety of apps in the Cydia store that serve to run in the background, monitor receipt traffic, and redirect it for this purpose. Source: Hussulinux Blog
Prevention
If you immediately deliver content as soon as a receipt is verified, there is no known way to prevent this kind of attack. However, take this scenario: you have a user account system managed on your own server. If the purpose of the In-App Purchase is to notify your server that a particular user account has purchased an item, and the app downloads that item from your server, you are immune to the attack. Redirecting the receipt to another server will accomplish nothing for the attacker, because your server will never mark the user account as owning an item, as it never sees the receipt.
Fake Receipts
An attacker can fake the purchase process and then send a forged receipt to your verification server. Unlike the previous attack, the receipt's outbound location is not changed, but it is replaced with an imposter. This spoofed receipt is, in fact, a valid receipt from a previous App Store transaction, and the App Store will verify it as such. By faking the purchase process and then sending a spoofed receipt to your server, the content is never actually paid for.
Commentary
Apparently there are a variety of Cydia apps that do this sort of thing. You can spot fake receipts because their product_id is totally different from anything you use in your app. Apparently the most famous spoofed id is com.zeptolab.ctrbonus.superpower1. Source: Hussulinux Blog.
Prevention
In the link where I found this attack, the blogger recommended that you unpack the receipt at your verification server (base64_decode) and check the product_id before sending the receipt to the App Store. However, in this article Apple recommends that you first send the receipt to the App Store, and then read the returned information to be certain that the receipt is valid.
(Also, correct me if I'm wrong, but Apple's recommended technique could also be used to prevent this kind of attack even if you don't have a verification server. If your app sends the receipt directly to the App Store, it could examine the contents of the JSON response to ensure it's valid. But this goes against Apple's recommended best practices of using an external verification server, so I wouldn't advocate it.)
In Closing
These are the attacks that I'm aware of, feel free to correct me if I'm wrong on any point or to put forth additional attacks and fixes.
As a note, there's this website: http://www.in-appstore.com/ which claims to allow in-app purchases for free, either on iOS 5 or with a jailbroken iOS 6 device, and is active as of July 5th, 2013. While I'm not 100% sure how they are doing it, it definitely seems to involve DNS rerouting and faked security certificates, which would imply Fake App Store or Fake Verification Server, which would additionally imply that there are still apps out there that are not secured against these attacks.
Resources
Apple iOS in-app purchase hacking
My Experiences With Verifying In-App Purchase Receipts
How to detect "IAP Crackers"?
EDIT:
Additional
It seems like one or two people have swung by here and found this post useful, and I'm glad.
There's more information that can be had on this subject, either in other posts, books, or, if you're up to it, scouring the underbelly of the internet. Here's just a couple of websites and posts and so forth that I want to look into, but haven't had a chance yet. I'll add more links later when I find interesting tidbits.
http://www.se7ensins.com/forums/threads/tut-how-to-hack-ios-games-and-apps.701845/
http://www.iapphacks.com/
A couple of immediate takeaways: don't store your player's data in a simple plist unless you want it to be edited by some teenager. People don't have to hack your IAP system if they can just give themselves gold or something similar by editing the files on the disk. Perhaps by encrypting these files, you could discourage a certain segment of attackers.
Based on the se7ensins link, it seems as though an attacker can also pry apart your binary and mess with it to achieve the same ends as editing a plist file, or even more, but this will require a slightly higher skill level. Perhaps setting up jailbreak detection would suffice to deter most people who would resort to this.
Again, this section is mostly speculation, but it may help someone. Really, the level of protection you have depends on how far a developer is willing to go (down the rabbit hole of security and encryption) to protect their bottom line.
I want to validate iOS in-app-purchases using my own server. The iOS app will talk to my server which in turn will talk to Apple's server to determine if the IAP is valid. I'm fairly new to networking so I have a basic question: How can I make sure my iOS app is talking to my server securely?
I imagine the app will talk over https but I don't know how this works. Any advice on setting up https communication between the two (or alternate methods of secure communication) are greatly appreciated!
Lawson has a point. You can't make your server perform the purchases directly at the AppStore. That has to be performed by your app.
It should request the available product identifiers from your server and then send an SKProductsRequest to the AppStore.
If required it processes the purchase over the app store and tells your own server about it by sending a so called receipt. The server can validate the receipt directly at the AppStore. But that is the only thing the server can do it self at the AppStore.
You can read more about it here: Overview of In-App Purchase: Server Product Model
As for the connection between your app and your server, I don't think you have much of a (reasonable) choice but to use SSL. Almost anything more secure would require a PKI.
Sorry about the previous answer... I misread your question. You can have your server send a POST request to Apple's server, then parse the response.
https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html
If I implement Apple's VerificationController.m example, is it still necessary to do server side receipt verification? Also, if you do server side, then there seems to be no reason to implement VerificationController.m since you're not contacting Apple's servers from the device.
Best case, I'd rather only implement VerificationController.m because I don't have a great way to run my own https server. Is that enough? The App runs on iOS 5+
This is trickier than it first appears, so I'll probably get this subtly wrong, but here goes:
The original attack relies on two weaknesses in iOS ≤ 5.x:
Failure to check that the App Store server is genuine (the user/attacker is allowed to install CA certificates, circumventing the SSL certificate check).
Failure to check that the receipt is valid for that device.
This allows the user/attacker to pretend to be the App Store server and present a valid receipt for someone else's purchase.
VerificationController can't fix the first weakness (it can't change how StoreKit talks to Apple); it mostly just fixes the second. It also seems to check far more things than ought to be necessary (but I could just be plain wrong here), including a bunch of things that StoreKit probably already checks.
Client-side verification doesn't protect against someone hacking the client, which is pretty easy on a jailbroken phone. This isn't really an issue if the thing being purchased could be hacked just as easily (e.g. ammo for a game/turning off ads).
Server-side verification is desirable when the server provides the thing being purchased (e.g. DLC/Skype credit/FarmCoins).
For consumables, the server needs to ensure that the transaction only gets applied to one account; checking device IDs is a bit superfluous — the attacker would need to submit the transaction receipt before the purchaser does, which either involves the purchaser handing over the receipt (not really an attack) or the attacker stealing the receipt with an attack on SSL (which would mean far bigger things to worry about).
For non-consumables (e.g. DLC), you'll want to verify the device ID as well. This can be as simple as the client sending its device ID to the server — this doesn't protect against a hacked client, but the attacker can just forge the device ID or pirate the DLC.
In general, do the verification at the point where you convert the receipt into the purchased item.
There are a few issues with VerificationController, though:
It checks that the receipt-verification server is using an EV certificate, but doesn't do any other SSL-layer checks. I don't know if the user can install an EV-capable CA certificate (and it won't be long until an EV CA is compromised).
You have to embed your receipt-verification password in the app (search for "password" and "ITC_CONTENT_PROVIDER_SHARED_SECRET"), which is trivial to extract on a jailbroken phone. I'm not sure what bad things an attacker could use this for, but surely the point of a secret is that it's secret!
Transactions which it has "seen before" are considered invalid, but it marks transactions as "seen" before contacting the receipt-verification server! This means you never reach //Validation suceeded. Unlock content here. if the receipt-verification connection fails, which could easily happen over a poor 3G connection. This might not be an issue for non-consumable transactions (I think restored transactions get a new transaction ID), but means consumables get lost forever. You can postpone calling -[SKPaymentQueue finishTransaction:] until receipt-verification succeeds, but this will leave incomplete transactions in the queue — hopefully they eventually expire without charging the user.
It trusts the contents of NSUserDefaults. This is part of the app backup and easily editable.
It assumes that -connection:didReceiveData: returns all the response data. This might be true to implementation details of the server and NSURLConnection, but relying on this is unwise.