iAP hacking - important for Ludei team

goodmornig I have a iOS game Mr. Dot made with Construct 2 and in this game I have 2 iAP working fine with Ludei server (managed mode).

I noticed that on my transaction's page on ludei cloud compiling site there are a hundreds of:

com.zeptolab.ctrbonus.superpower1

this is an image of my transaction page:

https://dl-web.dropbox.com/get/games/ze ... MPj3-3-qCg

Now I noticed that these strange transactions are added every day, especially on days when the game is downloaded many times!

intrigued I did some research and found this blog where we talk about this, The article ends with this sentence:

"Then check if the product_id is your genuine product or not. If not, just cancel it out. The most famous spoofed product id is :

com.zeptolab.ctrbonus.superpower1

If you encounter any product ID apart from your own, then simply block them. They are not genuine at all!"

link of the blog:

http://blog.hussulinux.com/2013/04/appl ... er1-hacks/

I ask the ludei Team if they can investigate this and if they can solve this.

and ask others developer if they can check their transaction page and see if they have that string.

I wait for reply

thanks

Bloody pirates...

Yeah agreed, but let's not give them cool titles. They are just filthy criminals - nothing more nothing less!

It's quite common nowadays, on Android in particular the rate of fake IAPs is >50% according to several dev blogs I read. There's a tool for rooted Android called Freedom, it enables free IAPs. There's something similar for jailbroken iOS devices as well.

Freemium games with IAPs is not a solution to piracy of paid premium games as time goes by and more users become aware of these tools.

There's no solution to piracy. A large portion of gamers will be pirates. Accept it, move on, cater to those who give you $ instead.

— I read something similar that started with a tweet from Monument Valley -> http://recode.net/2015/01/06/mobile-game-piracy-isnt-all-bad-says-monument-valley-producer-qa/

The most surprising stat was 50% from iOS. There must be more jailbroken devices out there than I realised.

— I know there are pirates that could hacking our works but if ludei can do something (on them server) to block that practice is better for all us....

I read the article on the blog (that I posted first) and they write that you can block the product ID not genuine on the server side:

com.zeptolab.ctrbonus.superpower1

So I ask if also in yours transaction page there are this strange product ID

and I hope that ludei Team can block this pirate product.

Gamers and hardcore gamers in particular are tech savvy so the portion of them who own jailbroken iOS devices or rooted Android devices is very high. The majority of users, particularly casual game players, I would expect the portion to be very minimal.

In particular, I frequently discuss mobile gaming on Reddit and those guys are more towards the hardcore/geek gamer market, Ads never work for them. They nearly all have AdBlockers. A lot of them also use tools for free IAPs.

It seems like you never get $ from that market.. but its not true! They fully respect a good game and will reward ethical developers by buying full paid apps or buy IAPs that they deem fair.

Ultimately if you respect the gamers, you will find many of them (enough anyway) who will reciprocate & happily pay for your content. So it's NOT about how to stop, punish or deter pirates. It's about engaging the core who value your work.

If anything, PC gaming has taught us DRMs fail utterly and only punish legit gamers.

mollaq It's not a battle Ludei will win (ie, blocking some IDs). It's extremely quick & easy to spoof a new ID. Ultimately it cannot be stopped if users are tech savvy enough to jailbreak their devices. But if you wanted to make it harder for pirates, that responsibility lies with Apple & Google, to make more protected OSes that aren't so easy to break.

Also, the "com.zeptolab.ctrbonus.superpower1" spoof or those types are the ones you know about. There are other free-IAPs method that you cannot detect, the player just gets whatever item freely with no notification. They don't even need wi-fi/net connection.

I agree fully with — on that one, there are no way for us to prevent that (to be fair, it is not even our job to secure those kind of things, as AFAIK we did not created the IAP system used by those apps), and it basically remains more as a "specificity of that market" that you have to take in account, and work with.

Sure it might seem " risky" ( what if everyone end up doing this ??!) or even unfair (All that work I putted on and I do not even have what I desirve), but as you can easily gather (for the majority at least), if the player do not want to pay for it, he will either pirate it or not use it at all, both I consider equaly as bad, and unfortunatelly, that is a part of the market you are targetting, the best you can do is "being fair" (so people will not uninstall or work around your app) and hope that the clients you are targetting are "honest" (not people that just wants everything for free, but you would not consider all your customers as potential stealers I am sure so that part should be okay), as everything you can try to do to stop them atm will be removed from the unofficial versions but will affect the legit ones (aka the "non-legits" users wont even see it, but the legits ones will suffer from it).

I don't agree with the optimistic view on people pirating games and then paying for it anyway. If you ask a bunch of them they will say they buy the game or pay for IAP, because they know what they are doing is wrong. Also lets say they do, I bet it's once a blue moon. In fact the stats show this to be the case. That's a hell of a lot of people deeming the game's cost is unfair.

It's bit like me walking into a store, taking a product and then after I may or may not pay for it depending on if I think it's a fair price.

I do agree though, there will always be piracy. All you can do is plug the holes up you can as and when they find them. Ultimately mollaq 's issue is a problem with apple, and yes they can spoof with any product id.

This is the reply of Ludei Team:

"Hello,

Thanks a lot for the report. We have already fixed this issue. We have banned that id. Every time someone tries to purchase this product, the transaction will fail. Please, let us know if you still find strange product ids and we will do our best for helping you. We will try to figure out a better solution for the future, as there might exist plenty of these ids. We will inform you all as soon as the decision is made.

Regards."

If someone have strange Products ID on yours transaction's page please send it to Ludei this way they can fix on they server!

Hello,

We have already added a fix in our servers. As — has said, the only thing we can do at the moment is to ban that product_id. However, we plan to add more security options for preventing this kind of situations.

Regards.

Many Thanks!

I hope this helps others developers and I hope others developers helps Ludei to discover and fix this!

thanks again