Fighting In-App Purchase Hacks

Transcript

1. Fighting In-App Purchase Hacks Combating fraudulent game exploitation

2. • Open Source Company • 400 Million Installs via 4,000+

   games • Data Sharing Network Games Unite About Us

3. Developers should fight hacking in their games. Fight Back

4. Single player games build interpersonal competition. Why?

5. Word of mouth is the best game sharing experience. Why?

6. Unhacked game results build enthusiasm for playing. Why?

7. Necessary for keeping accurate analytics. Why?

8. And Most Importantly, Why?

9. Hacked games mean lost money! Why?

10. File Overwriting How Games Get Hacked 1

11. Hackers search games for important files and variables containing the

    current game score, currency balance, and level progression. File Overwriting

12. They change these values to their benefit. File Overwriting 010101110110010101

    010101110110111100 001110110001101010 111100010110101010 1010101011110

13. Fake In-Game Purchases How Games Get Hacked 2

14. This is done by faking communications with the game server.

    Fake In-Game Purchases

15. Certain programs that make this possible are found online. More

    details on IAP hacks here Fake In-Game Purchases

16. Encrypt your data. Preventing Hacking 1

17. This way, a file that contains the balance of 225

    coins is difficult to find and edit. Preventing Hacking 1

18. SOOMLA does this for you when you use SOOMLA Store

    in your game! Preventing Hacking 1

19. Use a dedicated server to protect in- app purchases Preventing

    Hacking 2

20. When a client buys something from an app they are

    sent an electronic receipt. Preventing Hacking 2

21. The receipt is usually validated with the App Store or

    Google Play to make sure the purchase is ok. Preventing Hacking 2

22. Hacking software intercepts requests to the App Store or Google

    Play and emulates their behavior. Preventing Hacking 2

23. So, it is best to use a private dedicated server

    to do the verifying. Preventing Hacking 2

24. This makes it much harder for hackers. Preventing Hacking 2

25. SOOMLA also provides this receipt validation server! Preventing Hacking 2

26. After verifying, take an extra step and check for suspicious

    activity. Preventing Hacking 2

27. Compare the transactions from Google and Apple to the transactions

    that happened in a game. Preventing Hacking 2

28. Find if any purchases appear in a game’s log but

    are not accounted for with a receipt. Preventing Hacking 2

29. The users with those purchases are hackers. Preventing Hacking 2

30. A few other things to look for: Fraud Indicators

31. Multiple purchases with little or no time between them Fraud

    Indicators 1

32. Economy Exhaustion Purchases of all virtual items in an economy

    in a short period of time. Fraud Indicators 2

33. Over $50 worth of purchases by a given user in

    a single day Fraud Indicators 3

34. Balance changes greater than the largest amount of coins available

    for purchase Fraud Indicators 4

35. What happens after identifying hackers?

36. Fix your data Correct your analytics data to remove instances

    of hackers.

37. Punish the Hackers Ban the hackers from your game. Remove

    their excess virtual goodies.

38. Punish the Hackers Increase the difficulty of the game for

    the hackers Disable the hackers from sharing their scores

39. Punish the Hackers “Brick the Game” Inform the hackers that

    they are blocked from the game because they were identified as hackers. Encourage them to play fair by resetting the game.

40. Further Reading • iOS Receipt Validation (SOOMLA Blog • Android

    Receipt Validation (SOOMLA Blog) • Setting up Google Play Purchase Verification

41. Games Unite!