Announcing Server Side Verification for iOS

We know how much fraud is a huge issue for you guys so we are working very hard to give you tools for fighting that. We have had device level encryption for a while now but recently added a functionality that validates receipts with the iTunes servers. This prevents users that use IAP Craker and the likes of it from making fraudulent purchases.

How Server Side Verification Works

The way it works is that every time the user makes a purchase iTunes will return a receipt. This receipt is then sent by the SOOMLA server to the iTunes servers for another round of validation. Since the SOOMLA servers are much harder to hack, the user can’t redirect these requests.
Here is an illustration:


an illustration of how Server Side Verification works


Here are the steps in Server Side Verification for iOS:

  1. Purchase request is initiated from the device
  2. iTunes connect returns a positive response and charges the user account
  3. SOOMLA Framework sends the receipt to SOOMLA servers
  4. SOOMLA servers send the receipt to the iTunes server for validation
  5. The iTunes servers respond with a positive response
  6. SOOMLA servers notify the Framework that the purchase has been verified and the user is entitled to receive the virtual goods.
IAP Craker is breaking 1 and 2 by redirecting the requests to false servers. It cannot however impact 3-6 so if you use this feature you should see most of the hacking gets called on.
Moreover, though other features, you would be able to track what these users are doing later on. So if they try something else, you would be able to immediately respond.

Turning Server Side Verification On

Turning this feature on, is done a bit differently for framework users and dashboard users. If you are using the dashboard, you would have this turned on by default. Just be sure not to un-check the check-box presented below. You will also have to fill out the fields with your encryption secrets.
how to turn on Server Side Verification
For framework users, this is OFF by default. In order to turn it on, you need to go to StoreConfig.m and set VERIFY_PURCHASES = YES.
[divider] [/divider]
August 2015 Update: We have also added receipt verification for Android!


Check out these slides for more details:


Feel free to share:



Please enter your comment!
Please enter your name here