Hi guys,
I have implemented server side receipt validation and it is working pretty well so far. Here are the general steps I take for new purchases:
1) On device: get receipt from Google/Apple, send it to my server
2) On server: parse the data
- For Apple: send to Apple servers to validate
- For Google: verify receipt data against signature
3) If everything checks out, check against my database to see if the transaction id has been used before. If it exists in my DB then someone is trying to reuse an old receipt. If it doesn't exist, then save it.
4) Send a response back to my device and unlock content accordingly
The problem that I'm facing, is what to do when restoring purchases? I don't have an Apple device to test with yet, but on Google, the receipt that I get back for a restore is identical to the original purchase receipt. So when I do the transaction id check on my database it will fail. Theoretically, somebody could make a valid purchase once, and then pass around that valid receipt with an IAP cracker to trick my server into restoring features. (I know you can't stop hackers but I want to at least make it difficult)
Here are the solutions I can think of:
- Tie transaction ids to user accounts. This might be the best solution but it would force me to force everyone to create an account in order to make purchases. Right now it's a single player game so creating an account would seem pointless to users, and I want to make it easy to make purchases. Plus having user account functionality is a whole other beast entirely... I don't really have the time to implement that now.
- Tie transaction ids to unique device ids. Easy to implement but this means that a user would never be able to restore their purchases on a new or different device.
I'm really not sure what to do. I've searched high and low but people only talk about validating new receipts. Any help is greatly appreciated.