Fighting In-App Purchase HacksCombating fraudulent game exploitation
● Open Source Company● 400 Million Installs via 4,000+ games● Data Sharing Network
Games Unite
About Us
Developers should fight
hacking in their games.
Fight Back
Single player games build
interpersonal competition.
Why?
Word of mouth is the best game
sharing experience.
Why?
Unhacked game results build
enthusiasm for playing.
Why?
Necessary for keeping accurate
analytics.
Why?
And Most Importantly,
Why?
Hacked games mean lost
money!
Why?
File Overwriting
How Games Get Hacked 1
Hackers search games for important files and variables
containing the current game score, currency
balance, and level progression.
File Overwriting
They change these values to their
benefit.
File Overwriting
0101011101100101010101011101101111000011101100011010101111000101101010101010101011110
Fake In-Game Purchases
How Games Get Hacked 2
This is done by faking communications with
the game server.
Fake In-Game Purchases
Certain programs that make this possible are
found online.
More details on IAP hacks here
Fake In-Game Purchases
Encrypt your data.
Preventing Hacking 1
This way, a file that contains the balance
of 225 coins is difficult to find and edit.
Preventing Hacking 1
SOOMLA does this for you when you
use SOOMLA Store in your game!
Preventing Hacking 1
Use a dedicated server to protect in-
app purchases
Preventing Hacking 2
When a client buys something from an
app they are sent an electronic receipt.
Preventing Hacking 2
The receipt is usually validated
with the App Store or Google Play to
make sure the purchase is ok.
Preventing Hacking 2
Hacking software intercepts requests to the App Store or
Google Play and emulates their
behavior.
Preventing Hacking 2
So, it is best to use a private dedicated server to do the
verifying.
Preventing Hacking 2
This makes it much harder for hackers.
Preventing Hacking 2
SOOMLA also provides this receipt
validation server!
Preventing Hacking 2
After verifying, take an extra step and check for
suspicious activity.
Preventing Hacking 2
Compare the transactions from
Google and Apple to the transactions that happened in a game.
Preventing Hacking 2
Find if any purchases appear in a game’s
log but are not accounted for with a
receipt.
Preventing Hacking 2
The users with those purchases are hackers.
Preventing Hacking 2
A few other things to look for:
Fraud Indicators
Multiple purchases with little or no
time between them
Fraud Indicators
1
Economy ExhaustionPurchases of all
virtual items in an economy in a short
period of time.
Fraud Indicators
2
Over $50 worth of purchases by a given user in a single day
Fraud Indicators
3
Balance changes greater than the
largest amount of coins available for
purchase
Fraud Indicators
4
What happens after identifying hackers?
Fix your data
Correct your analytics data to remove
instances of hackers.
Punish the Hackers
Ban the hackers from your game.
Remove their excess virtual goodies.
Punish the Hackers
Increase the difficulty of the game for the hackers
Disable the hackers from sharing their scores
Punish the Hackers
“Brick the Game”Inform the hackers that they are blocked from the game
because they were identified as hackers.
Encourage them to play fair by resetting the game.
Further Reading
● iOS Receipt Validation (SOOMLA Blog
● Android Receipt Validation (SOOMLA Blog)
● Setting up Google Play Purchase Verification