The iap top-up base64 code for IOS game players is sent to Apple's verification receipt. There is no strange problem in the returned value of in_app. iapin_app

The iap top-up base64 code for IOS game players is sent to Apple's verification receipt. There is no strange problem in the returned value of in_app. iapin_app

In the past few days, our IOS games have been shelved and many users have been recharged. However, only two people on itunesconnet have actually paid for the game. Someone must have cheated us.

Let's first introduce our verification process:

Recharge initiated by mobile phone-> purchase successful-> get the base64 receipt-> send to the game server for verification-> If successful, the result of the successful player recharge

At first glance, it seems that there is no problem. It should be okay, but there is a problem. You can see a magic base64 receipt. The ghost knows how to hold it out. The hacker is excited.

There are several accounts. According to the server log, we can see the requests sent by these users. base64 is not convenient to post out. Then we can post the results.

"D:\Program Files (x86)\JetBrains\WebStorm 140.2753\bin\runnerw.exe" "C:\Program Files\iojs\node.exe" main.jsstatusCode:  200headers:  { 'x-apple-jingle-correlation-key': 'L4AZATKFKDNN7WI2P3UEX3P3YY',  pod: '2',  'x-apple-translated-wo-url': '/WebObjects/MZFinance.woa/wa/verifyReceipt',  'x-apple-orig-url': 'http://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/verifyReceipt',  'x-apple-application-site': 'ST11',  'edge-control': 'no-store, cache-maxage=0',  date: 'Wed, 11 Mar 2015 06:03:14 GMT',  'set-cookie':    [ 'itspod=2; version="1"; expires=Sat, 11-Apr-2015 06:03:14 GMT; path=/; domain=.apple.com',     'mzf_in=022393; version="1"; path=/WebObjects; domain=.apple.com; secure; HttpOnly',     'mzf_dr=0; version="1"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/WebObjects; domain=.apple.com',     'ns-mzf-inst=36-60-80-109-96-8269-22393-2-st11; version=1; Max-Age=1800; path=/; domain=.apple.com; httponly',     'NSC_nagjobodf-bopo-qppm*0=ffffffff12a53a2d45525d5f4f58455e445a4a423660;path=/;secure;httponly' ],  'apple-timing-app': '9 ms',  'cache-control': 'private, no-cache, no-store, no-transform, must-revalidate, max-age=0',  expires: 'Wed, 11 Mar 2015 06:03:14 GMT',  'x-apple-lokamai-no-cache': 'true',  'x-apple-application-instance': '22393',  'x-frame-options': 'SAMEORIGIN',  itspod: '2',  'x-webobjects-loadaverage': '23',  connection: 'keep-alive',  'content-length': '631' }{"status":0, "environment":"Production", "receipt":{"receipt_type":"Production", "adam_id":958813739, "app_item_id":958813739, "bundle_id":"com.tsgame.godlike", "application_version":"2.2", "download_id":80011053156383, "version_external_identifier":811584718, "request_date":"2015-03-11 06:03:14 Etc/GMT", "request_date_ms":"1426053794658", "request_date_pst":"2015-03-10 23:03:14 America/Los_Angeles", "original_purchase_date":"2015-03-07 18:22:23 Etc/GMT", "original_purchase_date_ms":"1425752543000", "original_purchase_date_pst":"2015-03-07 10:22:23 America/Los_Angeles", "original_application_version":"2.2", "in_app":[]}}Process finished with exit code 0

This is the base64. verification information returned after being submitted to itc.

Yes. status returns 0;

However, if you know the new format after IOS6, you will surely find that the. In_App field does not exist .......

I am also very surprised. why not. what is the advanced technology... almost all the internal purchase verification posts on the Internet say that it is OK to return 0 .. but in this case. the returned 0 is definitely not a problem.

"D:\Program Files (x86)\JetBrains\WebStorm 140.2753\bin\runnerw.exe" "C:\Program Files\iojs\node.exe" main.jsstatusCode:  200headers:  { 'x-apple-jingle-correlation-key': 'F6CPKDZP4ZVKJKKMOFLMRLY354',  pod: '54',  'x-apple-translated-wo-url': '/WebObjects/MZFinance.woa/wa/verifyReceipt',  'x-apple-orig-url': 'http://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/verifyReceipt',  'x-apple-application-site': 'ST13',  'edge-control': 'no-store, cache-maxage=0',  date: 'Wed, 11 Mar 2015 06:10:34 GMT',  'set-cookie':    [ 'itspod=54; version="1"; expires=Sat, 11-Apr-2015 06:10:34 GMT; path=/; domain=.apple.com',     'mzf_in=542401; version="1"; path=/WebObjects; domain=.apple.com; secure; HttpOnly',     'mzf_dr=0; version="1"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/WebObjects; domain=.apple.com',     'ns-mzf-inst=183-23-80-220-13-8162-542401-54-st13; version=1; Max-Age=1800; path=/; domain=.apple.com; httponly',     'NSC_nagjobodf-bopo-qppm*0=ffffffff12a5a90645525d5f4f58455e445a4a423660;path=/;secure;httponly' ],  'apple-timing-app': '9 ms',  'cache-control': 'private, no-cache, no-store, no-transform, must-revalidate, max-age=0',  expires: 'Wed, 11 Mar 2015 06:10:34 GMT',  'x-apple-lokamai-no-cache': 'true',  'x-apple-application-instance': '542401',  'x-frame-options': 'SAMEORIGIN',  itspod: '54',  'x-webobjects-loadaverage': '16',  connection: 'keep-alive',  'content-length': '1099' }{"status":0, "environment":"Production", "receipt":{"receipt_type":"Production", "adam_id":958813739, "app_item_id":958813739, "bundle_id":"com.tsgame.godlike", "application_version":"2.2", "download_id":74004963679107, "version_external_identifier":811584718, "request_date":"2015-03-11 06:10:34 Etc/GMT", "request_date_ms":"1426054234103", "request_date_pst":"2015-03-10 23:10:34 America/Los_Angeles", "original_purchase_date":"2015-03-08 07:26:30 Etc/GMT", "original_purchase_date_ms":"1425799590000", "original_purchase_date_pst":"2015-03-07 23:26:30 America/Los_Angeles", "original_application_version":"2.2", "in_app":[{"quantity":"1", "product_id":"Gifts1", "transaction_id":"340000061439445", "original_transaction_id":"340000061439445", "purchase_date":"2015-03-08 07:38:35 Etc/GMT", "purchase_date_ms":"1425800315000", "purchase_date_pst":"2015-03-07 23:38:35 America/Los_Angeles", "original_purchase_date":"2015-03-08 07:38:35 Etc/GMT", "original_purchase_date_ms":"1425800315000", "original_purchase_date_pst":"2015-03-07 23:38:35 America/Los_Angeles", "is_trial_period":"false"}]}}Process finished with exit code 0

"In_app" is the key. I don't know why there is no internal purchase Bill. This is really strange.

Generally, they believe in ghosts and gods when they do not understand them. we often blame others for hacking when we don't know how the server has bugs. if someone is black. hope you can see this article.

If you know that the block is written incorrectly on our client. the base64 receipt for the result of this omnipotent state = 0 is displayed. also hope to give you some advice. testing in the sandbox environment. there was no such receipt without in_app.

I have seen the great gods in this article. I have a clear explanation .~