Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fighting In-App
Purchase Hacks
Combating fraudulent game exploitation
● Open Source Company
● 400 Million Installs via 4,000+ games
● Data Sharing Network
Games Unite
About Us
Developers
should fight
hacking in their
games.
Fight Back
Single player
games build
interpersonal
competition.
Why?
Word of mouth
is the best game
sharing
experience.
Why?
Unhacked game
results build
enthusiasm for
playing.
Why?
Necessary for
keeping accurate
analytics.
Why?
And Most
Importantly,
Why?
Hacked games
mean lost
money!
Why?
File Overwriting
How Games Get Hacked 1
Hackers search games for
important files and variables
containing the current
game score, currency
balance, and level
prog...
They change these
values to their
benefit.
File Overwriting
010101110110010101
010101110110111100
001110110001101010
11110...
Fake In-Game
Purchases
How Games Get Hacked 2
This is done by faking
communications with
the game server.
Fake In-Game Purchases
Certain programs that
make this possible are
found online.
More details on IAP hacks here
Fake In-Game Purchases
Encrypt your data.
Preventing Hacking 1
This way, a file that
contains the balance
of 225 coins is difficult
to find and edit.
Preventing Hacking 1
SOOMLA does this
for you when you
use SOOMLA Store
in your game!
Preventing Hacking 1
Use a dedicated
server to protect in-
app purchases
Preventing Hacking 2
When a client buys
something from an
app they are sent an
electronic receipt.
Preventing Hacking 2
The receipt is
usually validated
with the App Store
or Google Play to
make sure the
purchase is ok.
Preventing Hacking 2
Hacking software
intercepts requests
to the App Store or
Google Play and
emulates their
behavior.
Preventing Hacking 2
So, it is best to use a
private dedicated
server to do the
verifying.
Preventing Hacking 2
This makes it much
harder for hackers.
Preventing Hacking 2
SOOMLA also
provides this receipt
validation server!
Preventing Hacking 2
After verifying,
take an extra step and check for
suspicious activity.
Preventing Hacking 2
Compare the
transactions from
Google and Apple to
the transactions that
happened in a game.
Preventing Hacking 2
Find if any purchases
appear in a game’s
log but are not
accounted for with a
receipt.
Preventing Hacking 2
The users with those purchases are
hackers.
Preventing Hacking 2
A few other
things to look for:
Fraud Indicators
Multiple purchases
with little or no
time between them
Fraud Indicators
1
Economy Exhaustion
Purchases of all
virtual items in an
economy in a short
period of time.
Fraud Indicators
2
Over $50 worth of
purchases by a given
user in a single day
Fraud Indicators
3
Balance changes
greater than the
largest amount of
coins available for
purchase
Fraud Indicators
4
What happens after
identifying hackers?
Fix your data
Correct your analytics
data to remove
instances of hackers.
Punish the Hackers
Ban the hackers from
your game.
Remove their excess
virtual goodies.
Punish the Hackers
Increase the difficulty of
the game for the hackers
Disable the hackers from
sharing their scores
Punish the Hackers
“Brick the Game”
Inform the hackers that they
are blocked from the game
because they were
identified as...
Further Reading
● iOS Receipt Validation
(SOOMLA Blog
● Android Receipt Validation
(SOOMLA Blog)
● Setting up Google Play
...
Games Unite!
Upcoming SlideShare
Loading in …5
×

Fighting In-App Purchase Hacks

10,601 views

Published on

Combating fraudulent game exploitation - what every indie developer should know about IAP and how to protect against hackers.

Published in: Technology
  • Be the first to comment

Fighting In-App Purchase Hacks

  1. 1. Fighting In-App Purchase Hacks Combating fraudulent game exploitation
  2. 2. ● Open Source Company ● 400 Million Installs via 4,000+ games ● Data Sharing Network Games Unite About Us
  3. 3. Developers should fight hacking in their games. Fight Back
  4. 4. Single player games build interpersonal competition. Why?
  5. 5. Word of mouth is the best game sharing experience. Why?
  6. 6. Unhacked game results build enthusiasm for playing. Why?
  7. 7. Necessary for keeping accurate analytics. Why?
  8. 8. And Most Importantly, Why?
  9. 9. Hacked games mean lost money! Why?
  10. 10. File Overwriting How Games Get Hacked 1
  11. 11. Hackers search games for important files and variables containing the current game score, currency balance, and level progression. File Overwriting
  12. 12. They change these values to their benefit. File Overwriting 010101110110010101 010101110110111100 001110110001101010 111100010110101010 1010101011110
  13. 13. Fake In-Game Purchases How Games Get Hacked 2
  14. 14. This is done by faking communications with the game server. Fake In-Game Purchases
  15. 15. Certain programs that make this possible are found online. More details on IAP hacks here Fake In-Game Purchases
  16. 16. Encrypt your data. Preventing Hacking 1
  17. 17. This way, a file that contains the balance of 225 coins is difficult to find and edit. Preventing Hacking 1
  18. 18. SOOMLA does this for you when you use SOOMLA Store in your game! Preventing Hacking 1
  19. 19. Use a dedicated server to protect in- app purchases Preventing Hacking 2
  20. 20. When a client buys something from an app they are sent an electronic receipt. Preventing Hacking 2
  21. 21. The receipt is usually validated with the App Store or Google Play to make sure the purchase is ok. Preventing Hacking 2
  22. 22. Hacking software intercepts requests to the App Store or Google Play and emulates their behavior. Preventing Hacking 2
  23. 23. So, it is best to use a private dedicated server to do the verifying. Preventing Hacking 2
  24. 24. This makes it much harder for hackers. Preventing Hacking 2
  25. 25. SOOMLA also provides this receipt validation server! Preventing Hacking 2
  26. 26. After verifying, take an extra step and check for suspicious activity. Preventing Hacking 2
  27. 27. Compare the transactions from Google and Apple to the transactions that happened in a game. Preventing Hacking 2
  28. 28. Find if any purchases appear in a game’s log but are not accounted for with a receipt. Preventing Hacking 2
  29. 29. The users with those purchases are hackers. Preventing Hacking 2
  30. 30. A few other things to look for: Fraud Indicators
  31. 31. Multiple purchases with little or no time between them Fraud Indicators 1
  32. 32. Economy Exhaustion Purchases of all virtual items in an economy in a short period of time. Fraud Indicators 2
  33. 33. Over $50 worth of purchases by a given user in a single day Fraud Indicators 3
  34. 34. Balance changes greater than the largest amount of coins available for purchase Fraud Indicators 4
  35. 35. What happens after identifying hackers?
  36. 36. Fix your data Correct your analytics data to remove instances of hackers.
  37. 37. Punish the Hackers Ban the hackers from your game. Remove their excess virtual goodies.
  38. 38. Punish the Hackers Increase the difficulty of the game for the hackers Disable the hackers from sharing their scores
  39. 39. Punish the Hackers “Brick the Game” Inform the hackers that they are blocked from the game because they were identified as hackers. Encourage them to play fair by resetting the game.
  40. 40. Further Reading ● iOS Receipt Validation (SOOMLA Blog ● Android Receipt Validation (SOOMLA Blog) ● Setting up Google Play Purchase Verification
  41. 41. Games Unite!

×