与还原应用内购买有关的安全性 [英] Security Concern with Restoring In App Purchases
问题描述
因此,我有一个应用程序刚刚被苹果公司拒绝,因为它没有为用户实施restorePurchases按钮来恢复他们购买的所有非消耗性物品.
So, I have an app that has just been rejected by Apple because of not implementing a restorePurchases button for the user to restore any non-consumable items that they have bought.
我了解其背后的逻辑,并为错过它而感到难过(或者至少不了解其实现的阻塞方面),但是我有一个不寻常的情况(我不确定这是否很不寻常,但是找不到很多最佳做法...)
I understand the logic behind that, and feel bad for missing it (or not understanding the blocking aspect of its implementation, at least), but I have an unusual case (which I'm not sure is all that unusual, but can't find a lot of best practices around it...)
我的应用是跨平台的,因此用户可以在Android和iOS上购买相同的商品,并且这些购买需要在跨平台上持续进行……因此,在成功通过身份验证后,我会在后端更新一个值两个客户端都具有读写权限.
My app is cross platform, and so the user can purchase the same item on Android as well as iOS, and those purchases need to persist across platforms... so, upon successful authentication, I update a value in my backend that both clients have read-write access to.
因此,我认为我可以在各种设备和平台上持久购买商品……但是这些购买商品与我的应用程序用户类中的帐户相关联.
Because of this, I consider that I persist purchases across devices and platforms just fine... but the purchases are tied to an account on my applications User class.
现在,如果我要按照Apple的要求来实现按钮,是什么导致用户无法将与Apple ID相关联的购买 恢复到我的应用程序数据库中的另一个用户...可能导致可以说是收入泄漏",例如,以朋友用户"身份登录,恢复购买,在我的情况下,这会将购买复制到User类中……然后,我有两个用户,并且只有一个相关联的用户收入...
Now, if I am to implement the button as required by Apple, what is stopping a User from restoring a purchase associated with an Apple ID to another User in my application database... potentially causing a 'revenue leak' so to speak - for example, signing in as a Friends User, restoring the purchase, which in my case would copy the purchase over to the User class... then I have two Users with only one piece of associated revenue...
所以...问题:
1)我是否天真地欺骗了系统?2)是否有人对如何解决此问题有最佳实践?
1) Am I being naive about the ability to cheat the system? 2) Does anyone have any best practices about how to solve / workaround this issue ?
推荐答案
Apple在首先,您可以为用户的帐户名提供购买信息,以帮助Apple检测不正常的活动-
Firstly, you can provide your user's account name with the purchase information to assist Apple to detect irregular activity -
检测到不正常活动
App Store使用不定期的活动检测引擎来帮助打击欺诈.某些应用可以提供其他信息以改善引擎检测异常交易的能力.如果您的用户除了他们的App Store帐户外,还拥有一个帐户,请求付款时提供这些额外的信息.
The App Store uses an irregular activity detection engine to help combat fraud. Some apps can provide additional information to improve the engine’s ability to detect unusual transactions. If your users have an account with you, in addition to their App Store accounts, provide this additional piece of information when requesting payment.
然后,在恢复购买时,您可以将相同的用户帐户信息提供给 restoreCompletedTransactionsWithApplicationUsername:方法-
Then, when it comes to restoring purchases you can provide this same user account information to restoreCompletedTransactionsWithApplicationUsername: method -
恢复已完成的交易
您的应用通过调用SKPaymentQueue的restoreCompletedTransactions方法.这发送了一个向App Store要求还原您所有已完成的应用程序交易.如果您的应用为applicationUsername设置了一个值付款请求的属性,如检测不正常情况"中所述活动中,使用restoreCompletedTransactionsWithApplicationUsername:恢复交易时提供相同信息的方法.
Your app starts the process by calling the restoreCompletedTransactions method of SKPaymentQueue. This sends a request to the App Store to restore all of your app’s completed transactions. If your app sets a value for the applicationUsername property of its payment requests, as described in Detecting Irregular Activity, use the restoreCompletedTransactionsWithApplicationUsername: method to provide the same information when restoring transactions.
最后,您可以使用服务器上的收据信息将原始交易与相同用户ID的已还原交易相关联,如果不匹配,则不还原功能.
Finally, you can use the receipt information on your server to correlate the original transaction with the restored transaction for the same userid and not restore the functionality if it doesn't match.
这篇关于与还原应用内购买有关的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
