0

I just released an app for iOS and I used Revenue Cat to help with IAPs. I just found out that anyone with a jailbroken iPhone can make fake purchases that give them the "goods" without making a payment. Does Revenue Cat have a way to verify and make sure this doesn't happen?

Here is the code for when a certain is made in the app (button press):

guard let package = offering?.availablePackages[2] else {
    print("No available package")
    return
}
Purchases.shared.purchasePackage(package) { (trans, info, error, cancelled) in
    // handle purchase
    if trans?.transactionState == .purchased {
        if let currentUser = Auth.auth().currentUser {
            var ref: DatabaseReference!
            ref = Database.database().reference()
            ref.child("users/\(currentUser.uid)/score").getData(completion:  { error, snapshot in
              guard error == nil else {
                print(error!.localizedDescription)
                return;
              }
              let score = snapshot.value as? Int ?? 0;
                let newScore = score + 100
                ref = Database.database().reference()
                ref.child("users").child(currentUser.uid).updateChildValues(["score": newScore])
            });
       }
    }
}
Papi
  • 255
  • 1
  • 2
  • 13
  • One side question is there any fees among RevenueCat services (Api keys/Dashboard) or all is free? – Shehata Gamal Mar 06 '22 at 18:06
  • @Sh_Khan you pay monthly if you want better analytics dashboard. But it's free if you make under $1000 a month and then they charge a little bit if you make more. Like if you make $100,000 a month, they will only charge you $800. Not bad to be honest – Papi Mar 06 '22 at 18:13
  • 1
    hmmm i see in their docs that it's to make it easy nothing about verify/safe BTW you could detect jailbroken device and stop app check https://stackoverflow.com/questions/413242/how-do-i-detect-that-an-ios-app-is-running-on-a-jailbroken-phone – Shehata Gamal Mar 06 '22 at 18:17

1 Answers1

2

Incrementing the score from the client is not very secure. You could listen for RevenueCat webhooks and update the score server side on a successful purchase or renewal. The webhook will only be dispatched from RevenueCat on a valid purchase that's securely verified with Apple.

Another approach to this would be to ping your server in the purchase completion block to check RevenueCat for the latest purchase status. So you ping your server, then from your server you call RevenueCat's GET /subscriber endpoint and make sure the score has been updated. Webhooks then could be used as a redundancy mechanism.

enc_life
  • 4,973
  • 1
  • 15
  • 27