IOS Game shelves player IAP Recharge Base64 code sent to Apple verify receipt return value There is no In_app section of the strange problem. __ios

Our iOS game has been on the shelves these days. And then received a lot of user recharge. But there are only 2 itunesconnet on top of it. Someone must have cheated us.

First, we will introduce our verification process:

Mobile phone to initiate recharge-> purchase success-> get to Base64 receipt-> sent to the game server for verification-> if successful to calculate the player recharge successfully issued recharge results

At first glance there seems to be no problem. But there is a problem. I want to show you a magical base64 receipt. The Devil knows how to hold it. The hacker gods are to spare.

There are a few accounts. Depending on the log of the server, you will see the requests sent by these people. Base64 is not convenient to come up with a post.

"D:\Program Files (x86)\JetBrains\WebStorm 140.2753\bin\runnerw.exe" "C:\Program Files\iojs\node.exe" main.js
statusCode:  200
headers:  { 'x-apple-jingle-correlation-key': 'L4AZATKFKDNN7WI2P3UEX3P3YY',
  pod: '2',
  'x-apple-translated-wo-url': '/WebObjects/MZFinance.woa/wa/verifyReceipt',
  'x-apple-orig-url': 'http://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/verifyReceipt',
  'x-apple-application-site': 'ST11',
  'edge-control': 'no-store, cache-maxage=0',
  date: 'Wed, 11 Mar 2015 06:03:14 GMT',
  'set-cookie': 
   [ 'itspod=2; version="1"; expires=Sat, 11-Apr-2015 06:03:14 GMT; path=/; domain=.apple.com',
     'mzf_in=022393; version="1"; path=/WebObjects; domain=.apple.com; secure; HttpOnly',
     'mzf_dr=0; version="1"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/WebObjects; domain=.apple.com',
     'ns-mzf-inst=36-60-80-109-96-8269-22393-2-st11; version=1; Max-Age=1800; path=/; domain=.apple.com; httponly',
     'NSC_nagjobodf-bopo-qppm*0=ffffffff12a53a2d45525d5f4f58455e445a4a423660;path=/;secure;httponly' ],
  'apple-timing-app': '9 ms',
  'cache-control': 'private, no-cache, no-store, no-transform, must-revalidate, max-age=0',
  expires: 'Wed, 11 Mar 2015 06:03:14 GMT',
  'x-apple-lokamai-no-cache': 'true',
  'x-apple-application-instance': '22393',
  'x-frame-options': 'SAMEORIGIN',
  itspod: '2',
  'x-webobjects-loadaverage': '23',
  connection: 'keep-alive',
  'content-length': '631' }
{"status":0, "environment":"Production", 
"receipt":{"receipt_type":"Production", "adam_id":958813739, "app_item_id":958813739, "bundle_id":"com.tsgame.godlike", "application_version":"2.2", "download_id":80011053156383, "version_external_identifier":811584718, "request_date":"2015-03-11 06:03:14 Etc/GMT", "request_date_ms":"1426053794658", "request_date_pst":"2015-03-10 23:03:14 America/Los_Angeles", "original_purchase_date":"2015-03-07 18:22:23 Etc/GMT", "original_purchase_date_ms":"1425752543000", "original_purchase_date_pst":"2015-03-07 10:22:23 America/Los_Angeles", "original_application_version":"2.2", "in_app":[]}}
Process finished with exit code 0

This is the base64 of those who do not know that they are not intentional. The validation information returned after the ITC was submitted.

Yes, the status returns 0;

But someone who knows the new format after IOS6 will surely find out. In_app field why not ....

I'm surprised, too. Why not? It is estimated that the advanced technology ... Almost all the online verification posts on the Internet say that it's OK to return 0. But we're in the situation. Returning a 0 must not explain the problem.

"D:\Program Files (x86)\JetBrains\WebStorm 140.2753\bin\runnerw.exe" "C:\Program Files\iojs\node.exe" main.js
statusCode:  200
headers:  { 'x-apple-jingle-correlation-key': 'F6CPKDZP4ZVKJKKMOFLMRLY354',
  pod: '54',
  'x-apple-translated-wo-url': '/WebObjects/MZFinance.woa/wa/verifyReceipt',
  'x-apple-orig-url': 'http://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/verifyReceipt',
  'x-apple-application-site': 'ST13',
  'edge-control': 'no-store, cache-maxage=0',
  date: 'Wed, 11 Mar 2015 06:10:34 GMT',
  'set-cookie': 
   [ 'itspod=54; version="1"; expires=Sat, 11-Apr-2015 06:10:34 GMT; path=/; domain=.apple.com',
     'mzf_in=542401; version="1"; path=/WebObjects; domain=.apple.com; secure; HttpOnly',
     'mzf_dr=0; version="1"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/WebObjects; domain=.apple.com',
     'ns-mzf-inst=183-23-80-220-13-8162-542401-54-st13; version=1; Max-Age=1800; path=/; domain=.apple.com; httponly',
     'NSC_nagjobodf-bopo-qppm*0=ffffffff12a5a90645525d5f4f58455e445a4a423660;path=/;secure;httponly' ],
  'apple-timing-app': '9 ms',
  'cache-control': 'private, no-cache, no-store, no-transform, must-revalidate, max-age=0',
  expires: 'Wed, 11 Mar 2015 06:10:34 GMT',
  'x-apple-lokamai-no-cache': 'true',
  'x-apple-application-instance': '542401',
  'x-frame-options': 'SAMEORIGIN',
  itspod: '54',
  'x-webobjects-loadaverage': '16',
  connection: 'keep-alive',
  'content-length': '1099' }
{"status":0, "environment":"Production", 
"receipt":{"receipt_type":"Production", "adam_id":958813739, "app_item_id":958813739, "bundle_id":"com.tsgame.godlike", "application_version":"2.2", "download_id":74004963679107, "version_external_identifier":811584718, "request_date":"2015-03-11 06:10:34 Etc/GMT", "request_date_ms":"1426054234103", "request_date_pst":"2015-03-10 23:10:34 America/Los_Angeles", "original_purchase_date":"2015-03-08 07:26:30 Etc/GMT", "original_purchase_date_ms":"1425799590000", "original_purchase_date_pst":"2015-03-07 23:26:30 America/Los_Angeles", "original_application_version":"2.2", 
"in_app":[
{"quantity":"1", "product_id":"Gifts1", "transaction_id":"340000061439445", "original_transaction_id":"340000061439445", "purchase_date":"2015-03-08 07:38:35 Etc/GMT", "purchase_date_ms":"1425800315000", "purchase_date_pst":"2015-03-07 23:38:35 America/Los_Angeles", "original_purchase_date":"2015-03-08 07:38:35 Etc/GMT", "original_purchase_date_ms":"1425800315000", "original_purchase_date_pst":"2015-03-07 23:38:35 America/Los_Angeles", "is_trial_period":"false"}]}}
Process finished with exit code 0 

"In_app" is the key. I don't know why there is no bill coming in. This is really weird.

Generally do not understand when you will believe in ghosts. In general, do not know how the server will be a bug to blame others black us. If it is true that someone is black. Hope to see the people of this article hehe.

If you know it's our client, that piece of writing is wrong. The receipt of the base64 of the result of this universal state=0. Also hope to guide the maze. In the test process in sandbox environment. There is no such receipt without in_app.

See the great Gods of this article. There's a clear explanation.