search

j3k0 / cordova-plugin-purchase

In-App Purchase for Cordova on iOS, Android and Windows
https://purchase.cordova.fovea.cc
1.3k stars 537 forks source link

Safari developer mode hacks? #462

Closed Danbardo closed 6 years ago

Danbardo commented 8 years ago

Hey,

I apologise in advanced if this is a silly question, but,

What's stopping someone from plugging their iPhone into a Mac, opening up Safari in Developer mode then manually running success functions to exploit consumable products.

E.g. I have a consumable called "lives", when a purchase is complete the success function is giveLife().

What's stopping someone from running the function giveLife() manually in the application via the Safari developer console?

Thanks

j3k0 commented 8 years ago

I'm not sure if apps built in release mode (downloaded though the AppStore) can be inspected using safari developer mode (can they?). If yes, then if all the logic is client side, hacking can't be prevented... People can override anything in your code, calling giveLife but also replace getNumberOfLives by something that always returns 999999. Anyway, probably only a very small percentage of users will get into the trouble of exploiting this.

There only one secure way to prevent hacking, it is to implement the logic server side. You should have a server API giveLife that require a valid transaction receipt that was never used before as a proof that you can get awarded some more lives. The server then knows for sure how many lives a user has, because transaction receipts can't be faked.

You should then make sure the server allows the player to play. For example, if it's a game, the structure of the levels can be stored server side, the server will provide the data only if the user has lives.

This is just an example of how to make your app secure, it's a lot of extra trouble.

Danbardo commented 8 years ago

Thanks for the quick response,

Lucky you pointed that out, I'd released an application a few months ago and never downloaded the app store version, it was still the developer signed version I had on my device. I reinstalled the distribution copy and the application no longer appears in Safari.

Another reason I asked was that I was wondering what the "validation url" is for, I was hoping that it'd be a way to do a server side check. store.validator = "http://192.168.0.7:1980/check-purchase";

j3k0 commented 8 years ago

The validation url is indeed a link to a server, it allows to prevent fake transactions to be used to unlock content (something allowed on jailbroken devices). With that in place, hacking require an extra step: change the source code of the app. It's still not the silver bullet described above but a first step.

We're actually building the above described silver bullet for you. https://billing.fovea.cc/ public release set to be in a couple of weeks. We're trying to identify basic use cases and provide secure server-side solutions for those. (link not functional yet, added for future reference)

You can also implement it on your own, the validation url expected protocol is documented.

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.