Preventing Hacks of In-App Purchases with Detection

This is a story about a developer who was using the Apple store for his in-App purchases when he first went live with his game. After the first day, his logs said that he made over $1000 in sales, but when he checked Apple’s store reports it said that he had only made a couple dollars! What happened was that several users had hacked into his game, unlocking all the in-App purchases they could find. By the time the developer realized that he had been subjected to fraud, he was already disheartened. This happened with his first SPG (single player game); his next upgrade was to make it multi-player in order for the game to become more popular with added competition. In multi-player competition games it is especially important to know that users are not able to hack a way into the local files of the game. Without fraud prevention and cloud security, how can any designer claim that they care about competition?
in app purchase hack prevention

Fighting In-App Purchase Fraud

Some gaming experts believe there’s no reason to fight fraudulent exploitation of files in single player mobile games. I disagree. First and most importantly, I think building interpersonal competition and sharing favorite games starts with SPG’s. I think that it is more commonplace to find mobile gameplay talk occurring in offline discussions than the one’s you see online. What do I mean by that? I believe that a lot of gametalk is shared between people personally and face to face in social settings.
The kind of social interaction I’m talking about here is a meaningful sharing of experiences from person to person. How do I know that my sister reached the 190th level in the game Candy Crush Saga? Well, I didn’t hear about it on Facebook.  She told me what level she reached. But if I were to ever find out that she did it because someone out there showed her the cheats to get around gameplay obstacles, I would be less enthusiastic to take up the challenge and try to beat her score. The whole point of playing is to be the best, and this can only be true in a game economy that cannot be hacked.
Another issue related to fraud prevention has to do with the distribution of virtual wealth in your game’s economy. People often believe that it’s more fun to play a game when all the features are unlocked, that it somehow would be better if they could play unhindered. In reality however, whenever a player hacks into a game and unlocks its virtual economy, the challenge of playing is lost. Without immovable obstacles, hacks like these can take all the fun out of playing. The best designed games are ones that have built-in features which provide players with challenges that are long lasting and indefinite. Removing sinks or having unending pools of coins upsets the balance of the game, no doubt making it less enjoyable.
Game hacking also messes up your analytics, filling your data with inaccuracies about user behavior.  Such falsities might cause you to make poor decisions about balance or cause errors in judgment about user acquisition. And errors like these can get very expensive.

2 Ways Games are Getting Hacked

When Users Learn How to Fake an In-App Purchase

It’s easy for some people to trick the game into assuming that it’s communicating with Apple’s servers when it’s not. Even though this technique requires a high level of expertise, there are several hacking services that exploit the backdoor vulnerabilities that all games have. Every game is potentially a new victim to hacking attacks on its infrastructure. There are new programs that hackers develop and share with others that are used by millions of users every day to allow them to hack the local files of their mobile devices. One such source is IAP Cracker, but there are many more out there.

Users Learn How to Overwrite the Store’s Balance file

This one depends more on the app’s overall architecture and development, because every game stores their own economic balances in their own unique way. Rather than using any names you might recognize, let’s just say that maybe you’ve seen some videos on YouTube about how to crack some of the more popular mobile games out there; it seems that all of these kinds of overwriting hacks are based on the same method. Users first find a way to access the system files of their mobile device and then try to figure out which files hold their game balance. Then they figure out how the file is built, and with a certain amount of persistence, they then try modifying the settings file or replace it altogether with a completely different one. If they succeed they would publish a video tutorial in YouTube to show others how they hacked the game.

Ways to Prevent Hacking and Fraud

My calculated guess is that most in-App hacking happens from already unlocked mobile devices, from iPhones that are jailbroken (Apple) or on smartphones that have been rooted (Android), or upon poorly developed mobile games that just lack any backend security whatsoever. This claim is not based on data but simply on the fact that most of the hacking methods rely on having access to the device operating system and file system.
The good thing is that most mobile phones haven’t been rooted or jailbroken and don’t provide easy access to the lower levels of the device’s infrastructure, thereby making it more difficult for users to mess around with store bought models. However, neither Google or Apple have so far been able to prevent users from hacking through to the device’s infrastructure level, and either way I wouldn’t rely on them ever being able to stay ahead of all the hackers out there.

Use a Server to Protect in-App Purchases

Perhaps the best way to avoid hack attacks is to use a server to protect your game. While this might be a good beginning, it’s certainly not enough to protect you from all future hacking techniques and exploits.

How Server Verification helps

Server side verification can be used to eliminate some of the above examples of fraud, but probably not all of them. Specifically, games that use server-side verification do not protect the local storage of the game’s system files from getting hacked. In other words, server-side verification, no matter how robust and secure, is not enough.

Detecting in-App Purchase Hacks

The next step would be to figure out how to detect in-App purchase hacks. To do this, you would first need to implement server-side verification. Both Google and Apple provide an easy to use tool for verifying your in-App purchases. Server verification happens when the client is sent a receipt from the store, which when verifying, then sends the user’s receipt to another server which in turn verifies the in-App purchase inside Google Play or iTunes (I explain this in greater detail here).

Monitoring any Irregular Activities

The best way to prevent hacking is to monitor your statistics and look for any irregular activities that relate to your in-App purchase transactions. A simple comparison can be conducted between transaction reports provided by Apple and Google and a report from another analytics provider.  Then you can isolate all the instances where purchase transactions appear in your logs but aren’t counted as purchases in the store. Once you find a few suspicious transactions, you can then lookup and get the logs for the users that you’ve flagged, and look for additional patterns of behavior that commonly indicate fraudulent activity.

There are three common types of indicators of fraud

  • Several transactions for the same download occur with no activity or time in between purchases
  • When over $50 worth of purchases are made by a given user in a single day
  • Balance change greater than the largest amount of coins available for purchase
This is just to start you off. If you use a separate analytics log you will be able to find even more patterns of behavior. For these behaviors create filters so that they get flagged automatically.  I recommend that you set up broad conditions for your filters at first, and let it send any anomalies found to you automatically, then just manually review the shortlist that the filter provides (perhaps upwards of 20 flags per day is manageable). If you find yourself reviewing a lot instances that turn out to be legitimate purchases, you can always narrow your filter’s criteria and tweak it whenever your list gets too long to review quickly.

What to do when you find someone suspicious of hacking into your games

When you find users engaging in fraudulent activity, you can choose to take your own course of action. Besides removing the disingenuous activity in your view of the analytics data, you can sanction hackers further by removing their balances or even ban them from using your game.
Feel free to share:


  1. Earlier we had the same issue with API for Android which was using older Billing API. Later we have wrote our own Store API for iOS and Android on Cocos2dx.

    Thanks for explanation.

  2. Stop using the freemium model.

    people are willing to pay for games. But charging $100 for an in-app purchase is just wrong.

    • While some (very few) people are willing to pay for games. Most people don’t. Top 10 free app is getting 70K downloads/day while Top 10 paid app is getting 4K. People are choosing freemium over and over again.

      • There is a difference in my opinon between being able to progress quicker via in-app purchases and games that practically force you to do so. Sadly most games are in the former category.

        If it is going to be freemium at least have sane prices. A game I played had an item that wasn’t particularily good yet it still cost 20$. It is becoming really stupid, I wouldn’t have opposed if it was 2 dollars since this item was necessary to progress.

        • I agree, blocking user progress is not a good practice. Even when you give players an option to progress more quickly, it needs to be balanced carefully so the challenge in the game will not be ruined.

          • Ah, man you two seem to have the wrong idea of how IAPs should work.

            But first, I would like to correct O. Locke on something. He says “put out quality games and charge one price or get your game hacked” Sorry, but I’m not sure what your point is here. You seem to think that one shouldn’t make an F2P game, but that’s obviously not true. Candy Crush, as bad as it is, would never have been so successful is it charged $.99 to start playing. Triple town is better than it would have been if it charged upfront instead of letting you get cool stuff in the middle. I agree, though, that more than $10 is too much.

            Okay, as for Yaniv Nizan, I’m not going to try to describe how an IAP should work, because I couldn’t do it better than Extra Credits (

      • Look, pal.

        There is quantity and then there is quality.

        Do you want 4k who pay or 30k who hack? Charging $100 for an intangible add on, on a time waster is obscene. If you like the freemium model you shouldn’t complain about getting hacked.

        just live with it.

        thanks for your input, pal.

          • Thanks for the question, pal.

            I believe people want these games hacked because the cost for the extra content is obscene. It isn’t possible to progress very far without purchasing the extra content. or the app is virtually inoperable because of all the limitations.

            looks like app developers like you are still operating under the whole “greed is good” model.

            I could be wrong but I think people are sick of that.

            thanks for your input, pal.

          • I haven’t talked with many hackers but It seems like the effort of hacking a game is much greater compared to the cost of paying for the premium content.

            There are many games that are not very aggressive in pushing in-app purchases and they still get hacked. One good example of that is Subway Surfers. It’s very hard to claim that you can’t enjoy this game without in-app purchase but yet it was hacked.

            My gut feeling is that more hackers are doing it for the challenge than because they try to get something for free.

            DISCLOSURE: SOOMLA is not an app developer but an open source framework for game developers.

          • sure, pal.

            open source framework. That’s good.

            Your gut feeling is wrong. subway surfers is just a casualty. It really sucks for smaller developers who use the freemium model and don’t charge ridiculous prices for in-app purchases. But the greedy developers made it this way.

            It shouldn’t be a surprise that some people still bristle when a developer uses technology to bilk people out of money. a guy who majors in Computer Science with a little spare time can learn to hack some of these apps.

            facts are facts. put out quality games and charge one price or get your game hacked. simple.

            I enjoy reading sites like yours because it gives me an idea on the methods developers are using to combat consumers from fighting their unscrupulous business models.


Please enter your comment!
Please enter your name here