Fraud is a bigger problem than you might think

In-App Purchase Fraud is a big problem. A recent case study by discovered 55.7% of purchases are fraud, contributing to 72.9% of the lost revenue. Fortunately our Fraud Shield prevents fraud from every known attack vector.

Our Fraud Shield does more than simply verifying in-app purchase receipts with the marketplace API's; We employ every built-in security feature available in the in-app purchase receipts, including RSA Signature Validation and several other techniques to protect your revenue.

RSA Signature Validation

Every iTunes in-app purchase receipt contains an 256 bit RSA signature signed by Apple's Private Key. Every Google Play purchase includes a 256 bit RSA signature that is individually signed by the App Publishers License Key.

Our Fraud Shield verifies the signatures against the purchase data to ensure the receipt originated from the marketplace and remains intact.

SHA-1 Hash Verification

A little known security feature available to iTunes in-app purchase receipts is the SHA-1 hash. It is a digest that is produced using the receipts opaque value, the bundle ID and the identifier for vendor (a unique identifier for the iTunes user account in context to the app publisher).

The receipt itself does not contain the identifier for vendor, rather it is made available through a method build into iOS, macOS and tvOS.

Our Fraud Shield reconstructs the SHA-1 hash when the identifier for vendor is included in the apps RPC request and attempts to verify it against the receipts hash. If the identifier is different the reconstructed SHA-1 hash will not be symmetrical to the receipt’s SHA-1 hash. This prevents fraud attacks that attempt to use a valid receipt that does not belong to the iTunes user who made the purchase.

Get started now

  • Yes No credit card required
  • Yes 2,500 free events / month

Frequently Asked Questions

Fraud Shield

How do users commit IAP Fraud?

Typically an app such as Freedom, iAP Cracker and iAPFree is used on a Jail Broken or Rooted device. These apps manipulate the code on the target app to fake the purchase flow, replacing the communication layer to the marketplace with their own.

Fraud Shield

Do you catch all fraud attempts?

All known fraud attacks are caught, and we are constantly monitoring and analyzing the data to discover and ensure protection against anything we haven't seen before.