In-App Purchase Validation

The spectrum of monetization models and tools is extremely varied, from ad-supported, microtransactions, freemium, one-off purchases, and everything in between. A key tool in many of these solutions is the In-App Purchase(IAP). IAPs enable single purchases for unlocks, in-game consumables, subscriptions for premium access, and more.

There are a number of readily available attacks against the most common in-app purchase implementations. These are usually focused around:

Feeding the client fake purchase responses which indicate success
Replaying a valid purchase response multiple times
Sharing a purchase response with another client, so multiple players can receive the reward from a single purchase

For in-app purchases a trusted source of truth is required. LayerG checks and tracks purchases and purchase history, solving a significant set of possible vulnerabilities and pain points:

Issue	Description
Fake Purchases	LayerG directly connects to Apple, Google and Huawei services to check the validity of all incoming purchase receipts. This verification is completely outside the client’s code, and cannot be intercepted and tampered with. Every purchase receipt is verified, every time, and invalid ones are rejected.
Replay Attacks	All transactions are logged, preventing multiple submissions of the same purchase token or receipt
Receipt Sharing	Successful transactions are bound to the account that submits them. Different users cannot submit the same transaction, even a valid one, in an attempt to receive the associated reward.
Product Mismatches	Each validated purchase receipt exposes data (e.g. product ID) that can be used to tie a purchase to a product, preventing attacks that attempt to use a valid (cheap) purchase to unlock a different (expensive) reward.
Single Source of Truth	While LayerG maintains an internal record of all transactions, the remote payment provider is always used for validation.

In-App Purchase Validation is available for Apple, Google, and Huawei purchases, regardless of platform. Both single product and subscription purchases are supported.

Apple and Google purchases made via Unity IAP are also supported.

Interpreting validation results

A validation result contains a list of validated purchases.

Because Apple may contain multiple purchases in a single receipt, each validated purchase in the resulting list will contain only the purchases which have been validated and a boolean value to indicate if it has been seen before or not. If a purchase has already been validated by LayerG previously then the “seen before” value will be true, allowing the developer to discriminate new purchases and protect against replay attacks.

For Google and Huawei, each validation corresponds to a single purchase, which is included in the validation response list and also has a “seen before” value as above.

Each validated purchase also includes the payload of the provider validation response, should the developer need it for any reason.

Should the purchase/receipt be invalid, the validation fail for any reason, or the provider be unreachable, an error will be returned.

Apple

LayerG supports validating purchases made for products and subscriptions in iOS.

Apple purchase receipts are sent to Apple for validation. As suggested by Apple, both Production and Sandbox servers are used to validate receipts.

Setup

To validate receipts against the App Store, LayerG requires your app’s shared secret.

From App Store Connect navigate to the General > App Information page and the App-Specific Shared Secret section:

Apple App Store Connect

Select Manage and in the dialog that appears, select Generate:

Generate Apple App Store Connect Shared Secret

Make a record of your shared secret for use in your LayerG configuration:

New Apple App Store Connect Shared Secret

Set the value of LayerG’s iap.apple.shared_password configuration flag to the value of the shared secret created above.

Validate purchase

LayerG only supports validating iOS 7+ receipts.

Apple receipts can contain multiple purchases, LayerG will validate all of them and store them as individual purchase records.

Refer to the function reference page for the provided runtime purchase validation functions.

Validate subscription

Refer to the function reference page for the provided runtime subscription validation functions.

IAP notifications

The Apple App Store supports Server Notifications to monitor IAP state updates, such as purchase refunds or subscription auto-renewals. LayerG supports receiving these notifications via a callback URL that can be activated and set up in App Store Connect to act upon a subset of these state updates.

To activate the callback URL the notifications_endpoint_id configuration needs to be set, and takes on the following path: /v2/console/apple/subscriptions/<notifications_endpoint_id>.

Once the URL is set up in both LayerG and App Store Connect, any Apple subscription that was previously validated using the LayerG API will automatically have its state updated via the real-time notifications so that, for example, auto-renewing subscriptions expiry time are automatically kept in sync with the App Store.

IAP refunds

The Apple App Store can send Server Notifications relating to refunded purchases and subscriptions.

After setting up the callback URL described in the IAP Apple Notifications section, it is possible to register hooks with custom code to handle a refund for either a purchase or subscription.

The hook will only be fired for purchases/subscriptions that were previously validated via the respective LayerG Apple IAP validation APIs.