Mobile game in-app purchases: How to protect them from fraud?

Free gaming apps are free for a reason – they include in-app purchases that are the main revenue stream for their developers. In-app purchases are also an additional revenue source for paid apps. But some mobile game players just want to get a free ride. They’ll do whatever it takes to access premium features or content without spending a penny.

Let’s dive into the problem and learn what the possible solutions are.

What is an in-app purchase?

Just so we’re all on the same page: in-app purchases – or IAPs – are optional fees charged to game users in exchange for additional features. They are also often referred to as microtransactions and can be, e.g., in-game currency, extra lives, bonus health, new levels, cosmetics or power-ups. In-app purchases can cost as little as $0.99, but sometimes they are quite expensive – which is an incentive for fraudsters.

How can in-app purchases be circumvented and why is it bad for your business?

Cheaters circumvent in-app purchases in three main ways:

1. By modifying the app, so that the premium content is unlocked without any actual in-app purchase involved.
2. By faking the payment for the purchase using tools such as Lucky Patcher.
3. By voiding it – through cancelling, revoking or charging it back (and some even go as far as using stolen credit card data to pay for IAPs…).

Allowing this to happen greatly reduces your revenue – if you offer free-to-play titles, this is your source of income. Also, it can give an undeserved advantage to fraudsters over honest players who can then become frustrated at having to pay for your extra offerings.

How do you protect in-app purchases?

The good news is you are not left helpless. There are things you can do in order to protect this valuable income source:

• Do server-side purchase verification. In-app purchases are best validated on a server and content should only be handed out by the server if verification succeeded. Never validate the purchase directly in your app, as some players will be able to simulate it and get access for free.
  
  
• Monitor suspicious transactions. Make sure you detect void purchases quickly by subscribing to the “server-to-server notifications” services offered by mobile game stores. You will know instantly that the status of a purchase has been changed and you’ll be able to revoke the entitlement or perform a clawback. In case of re-offenders, you’ll be able to disable the purchasing option for them or completely block them from accessing your mobile gaming app.
  
  
• Keep game logic at the backend. As a rule of thumb, always move game logic and sensitive data to your backend, so in case of bugs or security issues it will be much more difficult for players to access it for free. Never bundle the unlocked content in your app but retrieve it from your server instead. Also, be sure to encrypt premium content and use a device-specific encryption key to decrypt it.
  
  
• Use anti-tamper solutions. Most of the time, hackers need to modify the app in some way, so make it harder for them by tamper-proofing your game. How? By using a service such as offered by Denuvo by Irdeto.

How will protecting your in-app purchases benefit your business?

You know this already, but let’s stress it anyway: the more in-app purchases your players make, the more revenue they generate for your business. So, stopping them from tampering with that source of revenue should only be logical for you. It will protect your revenue stream and increase the overall profitability of your mobile gaming app.

How do you get started on protecting your mobile games against in-app purchase fraud?

It’s simple, reach out to us and tell us more about your next mobile title!