Posted By oomphhq on October 24th, 2011

In-App Purchase Content Delivery and security with Oomph

25th October 2011.  In -App Purchasing  Tom Adams, Oomph CTO shares insights into In-App purchasing; what it is, how it works and how Oomph works to protect your content.

The Oomph platform allows on device, in-app purchasing (IAP) of content via a number of platform specific methods. On iOS, this is supported through iTunes’ in-app purchasing. This allows customers to purchase content on a device using their iTunes Store account, which Oomph then downloads & makes available for viewing.

Apple provides two methods for delivering in-app purchase content: 1) Built-in Product Model; and 2) Server Product Model. Oomph supports the server product model.

When a user makes a purchase on device, the following happens [1]:

1) A user initiates a purchase.

2) The app makes this purchase on a user’s behalf using Apple’s on-device API (StoreKit).

3) Apple’s API provides a receipt to the app.

4) The app provides the receipt to an Oomph server for validation.

5) The Oomph server validates the receipt with the iTunes Store, verifying the receipt itself & the product it is for.

6) If valid, the content is provided to the app.

The process of validating the receipt with iTunes is critical, without it, content can be provided to a user without them having a valid receipt, or, having a valid receipt for another product.

Oomph Protection:  Through our regular monitoring of our server infrastructure, our tech team has identified attempts to purchase content using invalid receipts. These attacks are reasonably well crafted, the data is encoded similarly to real receipts, and the remainder of the purchase data is legitimate. However, upon decoding, it becomes clear that these receipts are generated from a common IAP cracking tool. These tools run on jailbroken devices, and allow the on-device StoreKit API to be circumvented, providing a fake receipt to the app as if it came from Apple directly.

From anecdotal evidence on forums and also from our direct experience, server validation of receipts is not performed very often, and without this check, your content is exposed freely using easily accessible tools.

Oomph performs server side validation for all iOS in-app purchases, including single issue & auto-renewable subscriptions.


[1] Apple’s In-App Purchase Programming Guide provides full details.