What is the recommended method for checking hacker submissions of duplicate tokens to RVS? Is it valid to save a token in our database and check if a token has been used before? One issue with that is it is quite a large string comparison. iOS gives you a reasonably sized transaction id for this purpose. Please advise.
Hi Agamedev, Thank you for posting and sorry for the delay to respond. Hacker submission is a common issue for every client server based app. For IAP RVS, I think you could carry one field (say verifyToken) in the HTTP header or body and the verifyToken would contain a large number generated by a complicated algorithm (by using application identifier and product identifier - you have to design it with your logic) what your client and server would be aware of. You need to persist of all acknowledged verifyTokens in the server and you would not process the request if verifyToken is already acknowledged. This way hacker would not be able to replay a request which is already processed. Now, hacker could try modify the verifyToken and resend the request. There your sever has to verify the verifyToken whether it's satisfying your algorithm or not. If not, you can simply ignore the request. This way hacker would not be able to reach to your server without breaking the algo you have designed. Please note, it's not officially recommended way to have hack proof RVS system. I thought how could I have solved the problem you are facing. And it might not be 100% hack proof. But that would make hackers job much harder. You are welcome for further questions on it. Thanks.