5

Just tried the Freedom app on our application and I could bought every in app purchase item with it. At least when running the Play Store 3.x. If I upgraded the play store to 4.x than the Freedom hack stopped working.

Anyhow, is there a way to protect against it?

tomi
  • 525
  • 9
  • 20

1 Answers1

3

Check the orderId returned. Correct orderIDs are of the form: [merchant ID].[actual order ID] Find your merchant ID in your Wallet account (last line on order page) and check in your app if it's the same. As the Freedom hack cannot by any means know your Wallet ID, the returned ID of hacked payments differs. Just refuse those payments.

Note that this is just an assumption. I am currently not 100% sure if this works. Feedback would be appreciated.

Uwe Post
  • 518
  • 4
  • 10
  • 1
    The prefix does NOT match my merchantId, but the prefix stays always the same value since more than 1 year. So I have also implemented your additional validation now and hopefully it will work :) – Martin L. Jun 25 '14 at 12:37
  • Thanks for pointing out that the prefix does not match your merchant ID. Obviously sometimes there is another factor in there, because it does for me and for other developers I know. – Uwe Post Jul 03 '14 at 12:52
  • Starting July '15, this solution is not working anymore, because Google produces orderIds with prefixes "GPA" instead of your Wallet ID, so your check will fail - or produce false negatives. – Uwe Post Aug 07 '15 at 08:52