question

agamedev avatar image
agamedev asked

Checking for duplicate tokens

What is the recommended method for checking hacker submissions of duplicate tokens to RVS? Is it valid to save a token in our database and check if a token has been used before? One issue with that is it is quite a large string comparison. iOS gives you a reasonably sized transaction id for this purpose. Please advise.
iap
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
Hi Agamedev, Thank you for showing interest on Amazon IAP. We have forwarded your query to concern team. I will post back once I receive reply from them.
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
Hi Agamedev, Thank you for posting and sorry for the delay to respond. Hacker submission is a common issue for every client server based app. For IAP RVS, I think you could carry one field (say verifyToken) in the HTTP header or body and the verifyToken would contain a large number generated by a complicated algorithm (by using application identifier and product identifier - you have to design it with your logic) what your client and server would be aware of. You need to persist of all acknowledged verifyTokens in the server and you would not process the request if verifyToken is already acknowledged. This way hacker would not be able to replay a request which is already processed. Now, hacker could try modify the verifyToken and resend the request. There your sever has to verify the verifyToken whether it's satisfying your algorithm or not. If not, you can simply ignore the request. This way hacker would not be able to reach to your server without breaking the algo you have designed. Please note, it's not officially recommended way to have hack proof RVS system. I thought how could I have solved the problem you are facing. And it might not be 100% hack proof. But that would make hackers job much harder. You are welcome for further questions on it. Thanks.
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

agamedev avatar image
agamedev answered
Thanks for your response. FYI, we ended up using an MD5 hash of the token you send. Results in a short string that can be used for comparison efficiently.
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
Hi Agamedev, Good to see your answer. That's a good idea of course and also we can advise the same to other developers.
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.