Secure in-app purchases

[SoftWarewolf]

A lot of users in my online game have way too much currency, i started logging it on my server, and most purchases, especially the big ones, are illegitimate. Apparently it's done through something called freedom or freecard, a hack that enables users to buy in-app products for free. Whenever i see someone buying 4-5 of my biggest purchases in a row, i am manually disabling features for that user, but i am looking to secure it properly and automatically. (so far i have taken action against 37 of the worst offenders)

Is there a way my server could verify if a purchase is valid? i imagine i could send a get request to my own server after retrieving purchased items from inventory query and then delay consuming the products until i get a response. but i haven't figured out how my server can tell if it's valid or not (using php), i can obviously tell by manually looking at my google merchant account. but is it possible to extract this data to my own server? or secure it another way?

[piscesdreams]

I just read about Freedom. +1 to secure IAPs.

[Jeff]

Interesting topic.
Sure seems like something Google needs to fix at the base of the problem.
I am not even sure how you can counter this since its a general fault of the Google in-app purchasing system.

If there any advice you have found from some of the big Android developers on how they prevent the fault?
Maybe we could put together some advice for other Fusion users on how to protect their apps.

[Fernando]

Sorry, i had been absent, some problem with my laptop (Vista) during the whole weekend but now i almost corrected them.

inside In-App Object you have one action where you set a developer Payload where you can add a string that will be saved when you do the purchase process, and can be different or set as you need it, this is the best way to control the purchase process, also you can save data and save the string you use to register the purchase among a variable name, this saving process save the string in a private way (encrypted).

What i will add inside the android object is a new expression to read the email account used to buy the goods that you may also use to verify the origin.

if you find any other way implemented by others, please let me know

[piscesdreams]

Excellent. Thanks Fernando!

[SoftWarewolf]

freedom already got the payload cracked, it's returning the same payload as i am giving it. getting the users email wouldn't really help me i think..

[Fernando]

it does if you do a dynamic payload, not the same a unique payload for each purchase

[SoftWarewolf]

that doesn't make sense to me.. since the first purchase (with unique payload) goes through.
but i found one way that might be very effective, the legit order id's are long floats, but the freedom order id's are integer, i just check if the order id string is longer than 25, if it's not, then i consume without adding in-game data and display an error.

[Fernando]

try and let us know, how it goes.

[Muldoon]

I found this posted HERE:

Check the orderId returned. Correct orderIDs are of the form: [merchant ID].[actual order ID]
Find your merchant ID in your Wallet account (last line on order page) and check in your app if it's the same.
As the Freedom hack cannot by any means know your Wallet ID, the returned ID of hacked payments differs.
Just refuse those payments.