question

LiuJun avatar image
LiuJun asked

Append extra string to the purchaseToken can also pass the validation ?

We are validate the transation from our backend server, and found the purchaseToken can be fake by append string to it. e.g. https://appstore-sdk.amazon.com/version/2.0/verify/developer/XXX/user/YYY/purchaseToken/ZZZ can get a valid result. And once hacker can hack our app's binary, they can upload a new token with random suffix like ZZZ123 or ZZZaaa to our bakend server, and the facked token can also pass the validation. That may cause our backend server will trust it is a new purchase, and increasing the cosumable item for that user again and again. And actually he may only pay once to get a valid token, and can generate as many valid token as he want.
iap
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Sachin@Amazon avatar image
Sachin@Amazon answered
Hi LiuJun, Thank you for your post. We have received your ContactUs and one of our support engineer will respond you on that.
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.