informa
5 MIN READ
Featured Blog

Defend your games against In-App Purchase attacks

In-App Purchase attacks are a big threat to the gaming community. Protect your games against 7 complex attacks, and prevent malicious players from harming your growth.

The original author of the article is Andrei Mihu who is working on a Game Backend project. He has previously built large-scale, distributed systems for everything from finance to public transit. This is a cross-post from the GameUp Blog.

Hard, good-quality work deserves reward. As much as developers want to entice and entertain the widest possible audience, sooner or later that audience must give back. It’s the only sustainable way for developers to support themselves, and in turn continue to deliver improvements to their games.

The spectrum of monetisation models and tools is extremely wide. From ad-supported, microtransactions, freemium, one-off purchases, and everything in between. Each of these has its place, but let’s focus on the most popular model today.

Microtransactions

The history of microtransactions is quite organic, which makes it difficult to pin down specifics. According to various sources, at some point in 2011 they became the main source of revenue for the vast majority of top app store games. Since then their share in revenue generation has only increased, with gamers becoming more and more accustomed to the faster, smoother, and more convenient purchasing experience.

In-App Purchases in particular are a valuable, low-friction monetisation tool which enables single purchases for in-game consumables, subscriptions for premium access, and more. It also has great support from official platforms like Google Play and Apple App Store.

And therein lies the problem: when there’s something to gain, there are always those looking to cheat the system, and popular tools only present more incentive to do so.

The Problem

The vast majority of gamers understand that the quality game experiences they’ve come to expect cannot feasibly be delivered completely free of charge, and are willing to fairly compensate developers. The keyword here being ‘fair’ - the dynamic changes somewhat when fair compensation gives way to profit at any cost!

But alongside the well-meaning majority, there are a few who expect something for nothing, and are willing to cheat their way to premium rewards and content.

The list of attacks is endless - with more surfacing constantly:

Fake Purchase Responses - Always a popular one, payment never happens but the game client is fed a ‘successful’ purchase response regardless. Some attacks of this nature are quite convoluted, but get more practical with each iteration.

Replay Attacks - Submitting a valid purchase response to the game client multiple times to obtain the same reward again. Particularly relevant when the item being purchased gives a repeatable boost, such as adding some amount of a premium currency to the in-game account.

Receipt Sharing - Capturing a purchase response, sharing it with someone else, and allowing them to receive the same reward.

Product Mismatches - Intercepting purchase responses and altering them in an attempt to use a valid (cheap) purchase to unlock a different (expensive) reward.

Subscription Expiry - Valid subscription purchases eventually expire, and must constantly be checked to ensure premium features or purchased benefits are only available while the subscription is valid.

Purchase Cancellation - Purchases can easily be cancelled outside the scope of the game client, so games must be able to withdraw purchase benefits when cancellations are detected.

Altering Source of Truth - Gamers often change devices or even use multiple devices at once. The client’s local storage is not a reliable source of purchase logs, reward status, or usage history as rooting/jailbreaking opens up a number of options for storage manipulation.

How Worried Should I Be?

Losses from In-App Purchase attacks vary greatly based on each game’s popularity, genre, and monetisation strategy. It’s difficult to even monitor such activity, let alone quantify the loss - after all, not every user abusing the system would be a paying customer if the loophole wasn’t available.

Financial losses aside, there are hidden costs to allowing such activity to continue unhindered.

Paid gameplay upgrades need careful balancing to ensure gamers are encouraged to upgrade without giving a disproportionate advantage. The balance can be quite subtle, but failing to achieve it usually results in limited growth as new users are overwhelmed by the gulf between paid and non-paid status, and abandon the game before forming an attachment.

Allowing unchecked In-App Purchase abuse easily results in a serious impact to game adoption when a small subset of gamers have unlimited access to premium rewards, raising the barrier to entry for newcomers.

The Solution

As a general rule clients and their data are vulnerable; clients should instead connect to external servers for verification.

When a trusted server environment is introduced, valuable validation steps can be added to the flow of each purchase:

  1. The transaction is reported to the server by the game client.
  2. Server verifies the purchase every time, before even checking if it has already been seen - this preserves the purchase provider as the single source of truth, eliminating many conflicting data set issues.
  3. Look for purchase cancellation or subscription expiry, if applicable.
  4. Check product being unlocked and product that was purchased are the same.
  5. Log purchases as they’re first seen, preventing replay attacks.
  6. Bind purchases to the gamer who submitted them.

All major platform purchase providers expose server-side endpoints for checking purchases, such as Google’s Play Store and Apple’s App Store.

In a perfect world, all purchase responses would be delivered to a server dedicated to each game, which tracks inventory and usage by each gamer. Even this isn’t completely foolproof but it’s all about raising the barrier for attackers.

Given the high time and cost commitment to building, running, and scaling a dedicated server backend, which understands game logic and item purchase behaviour, this may not be an option.

We’ve built a solution within GameUp for this problem we call our In-App Purchase Verification service. This solves the burden of deploying a custom verification server; as a ready-to-use API is instantly available and free for developers to use.

Summary

No system is 100% secure and at a certain point adding more security can be too complex and too costly for minimal benefit. Even worse a poor implementation of security can negatively impact the experience of legitimate users.

A verification server can defend against many options for abuse by gamers. It is enough to prevent both significant revenue loss and a dangerous negative impact on player user base growth.

Latest Jobs

Manticore Games

San Mateo, California
8.23.22
Senior Software Engineer - Mobile

Sony PlayStation

San Diego, California
6.23.22
Sr. Online Programmer

The Walt Disney Company

Glendale, California
8.1.22
Associate Marketing Manager - Walt Disney Games

Insomniac Games

Burbank, California
8.26.22
Accessibility Design Researcher
More Jobs   

CONNECT WITH US

Explore the
Subscribe to
Follow us

Game Developer Job Board

Game Developer Newsletter

@gamedevdotcom

Explore the

Game Developer Job Board

Browse open positions across the game industry or recruit new talent for your studio

Browse
Subscribe to

Game Developer Newsletter

Get daily Game Developer top stories every morning straight into your inbox

Subscribe
Follow us

@gamedevdotcom

Follow us @gamedevdotcom to stay up-to-date with the latest news & insider information about events & more