Just like the name suggests, In-App purchase is a feature in smartphones or mobile device to buy products and services within the app. The best example for this is Games, where a user can buy Gems, Coins and all sorts of virtual items needed from the game app itself by paying money. In this post, I will describe how some games and apps are affected by in-app purchase fraud and how to prevent it.
Bypassing/Hacking In-App purchases.
While it sounds very convenient to get the items from the app itself, In-App purchases can be manipulated and goods can be obtained without actually paying anything. This is made possible by hijacking the purchase process and making the app believe that a purchase was successful, while in reality, it isn't. There are some apps readily available for this.
CreeHack is one such Android app, and it helps to bypass In-App purchases from google play store. Using this app, one will be able to purchase all Coins, Gems, Levels, Lives etc for free and also make trial version apps to full version.
All these apps contain an inbuilt free card, which can be used on Google Play. So whenever you attempt to buy something (Like gems, coins, life etc), creehack hijacks the process and completes the purchase with its inbuilt card. The actual request that was supposed to reach the server will get blocked at the device level by these apps. The result would be the user getting everything for free, without the need of spending any money.
Here you can see a demo of bypassing In-App purchases with CreeHack. It doesn't even require root access. Simply by installing the app and then opening the purchase tab of any app and tapping 'buy' would complete the purchase as shown in the screenshots. For a detailed tutorial and step by step instructions, refer this post.
Preventing In-App Purchase Fraud.
There are several ways to fight In-App purchase fraud. Based on how these purchase manipulation works, below steps can be implemented. This also should explain why apps like CreeHack doesn't work on certain games/apps.
- Server Side Validation: This can be done by implementing purchase validation in server side in addition to local validation. Thus the good bought will be valid only after it gets processed through a cloud platform. Client based tricks might work but tricking the server would be much harder. Moreover this can be further made secure by validating the user purchase receipt with the purchase history from Google servers. This however is not completely secure. Game hackers can always come with servers side exploits or even a fake server itself. Server based games like Clash Of Clans already has many modes and even private servers.
- Prevent apps from running on rooted devices : Most of these In-App purchase tricks works only on rooted devices. By making the app not run on rooted devices can prevent the fraudulent activities to a certain extent. However non root hacking apps like CreeHack is also available these days. You can see a demo of how CreeHack works on Non-rooted device below.
- Upgrade App Billing Format: Apps like Freedom fakes Google billing format 2 or 3. Upgrading the app to the latest available Billing format will prevent this. This is why some apps don't work with CreeHack.
- Google Play/Apple licensing and security best practices: Adhering strictly to the timely security measures provided by the app platforms could prevent In-App purchase hacks.
- Enable Multiplayer Interaction: This is a good practice for server based games and acts as an added security measure. It is rather difficult to tamper multiple clients at once to forge virtual goods.
These are some of the way in which apps get hacked and possible solutions for it. However games/apps can be manipulated by altering the local storage too. So in order to fight these fraudulent changes, devs can implement periodic validation of purchases and make use of analytics to monitor and flag potential cases of abuse.