Late last week, the topic of in-app purchases in iOS apps was drawn into sharp relief by a Russian hacker, who spun up a service that could fake receipts for many popular apps. It effectively bypassed the simple receipt system that Apple has in place for developers, allowing users to make over 30,000 free purchases of in-app content.
The method the hacker used showed just how important it was for developers to go beyond the basic receipt validation process, incorporating secure procedures into their apps to ensure that purchases of their content are legitimate. Unfortunately, these types of validation services are difficult to build, and require knowledge of cryptography and secure server communications, something that many small development teams lack.
That’s why development house Blue Parabola is offering Beeblex, a new super secure and completely free in-app purchase validation service.
The developers of Beeblex have been using its techniques to secure the IAP systems of their own apps, like Let’s Sing, for some time. Now, it’s offering the service free of charge and has provided an Objective-C SDK to make incorporating the validation service easy for developers, especially those who might not have had the resources to do this on their own. Many iOS developers are simply not equipped with the knowledge of how best to secure remote communication with a server, and there are lots of angles to cover that they may not be aware of. Simple issues that can be leveraged to circumvent the system, as was the case with last week’s hack.
The SDK will even be open-sourced, so that Blue Parabola can be helped to identify improvements that can be made to the system.
I spoke to Blue Parabola’s Marco Tabini, who provided me with some details about the service.
How is it that you plan on offering Beeblex free of cost?
We decided to offer this for free because it’s the right thing to do. Server-side validation of IAP receipt is something that all developers should do, but not many can afford due to the complexity and costs involved. We have the resources and the know-how to handle it, and so we did.
More than anything else, we wanted to offer an honest service. It’s truly free, with no catch and no surreptitious collection of data behind the users’ back. There may be opportunities for us to incorporate more services into the product in the future, but for the moment we are worried with providing the best service possible to developers.
So the servers are under your control then?
We do not collect any user-specific information—and, more importantly, we do not see it.
Using our own servers allows us to add more protection, such as time-limited tokens to help prevent man-in-the-middle attacks, and to track receipt use to help prevent receipt reuse.
Lets say the service becomes wildly successful, do you think you can keep up with the volume?
The system is currently hosted on an auto-scaling cloud, so we should be able to handle high loads with relatively little impact on performance. The current code is fairly efficient, but there is always room for improvement, and we’ll tackle that when the need arises.
The system is relatively simple to set up. A developer signs up and registers their app, giving them an API key. They then download and install the SDK, initializing it with the API key. Once they begin processing transactions, they’ll get a communication from Apple, which then gets passed along to Beeblex and verified. The entire implementation is perhaps 10-15 lines of code.
If you’re a developer looking to make your in-app purchases more secure, then Beeblex looks like a good place to start.