Fraud is a bigger problem than you might think
In-App Purchase Fraud is a big problem. A recent case study by soom.la discovered 55.7% of purchases are fraud, contributing to 72.9% of the lost revenue. Fortunately our Fraud Shield prevents fraud from every known attack vector.
Our Fraud Shield does more than simply verifying in-app purchase receipts with the marketplace API's; We employ every built-in security feature available in the in-app purchase receipts, including RSA Signature Validation and several other techniques to protect your revenue.
RSA Signature Validation
Every iTunes in-app purchase receipt contains an 256 bit RSA signature signed by Apple's Private Key. Every Google Play purchase includes a 256 bit RSA signature that is individually signed by the App Publishers License Key.
Our Fraud Shield verifies the signatures against the purchase data to ensure the receipt originated from the marketplace and remains intact.
SHA-1 Hash Verification
A little known security feature available to iTunes in-app purchase receipts is the SHA-1 hash. It is a digest that is produced using the receipts opaque value, the bundle ID and the identifier for vendor (a unique identifier for the iTunes user account in context to the app publisher).
The receipt itself does not contain the identifier for vendor, rather it is made available through a method build into iOS, macOS and tvOS.
Our Fraud Shield reconstructs the SHA-1 hash when the identifier for vendor is included in the apps RPC request and attempts to verify it against the receipts hash. If the identifier is different the reconstructed SHA-1 hash will not be symmetrical to the receipt’s SHA-1 hash. This prevents fraud attacks that attempt to use a valid receipt that does not belong to the iTunes user who made the purchase.