Hacker News new | comments | show | ask | jobs | submit login

This strikes me as truly bizarre. They control the servers, yet they allowed anyone who could get their hands on a copy of the game to authenticate and play regardless of whether or not they purchased it? Why on earth wouldn't they track actual payments for the game and check that against requests to the servers? Or better yet, make the game a pay-to-play service like World of Warcraft? Sounds like a huge missed opportunity.

Go find the Apple API that let's them know if this device belongs to a person who really bought the app. To my knowledge (not saying that is super-impressive by any stretch!), it doesn't exist.

It's the same reason you basically have to "repurchase" IAPs when you get a new device. There is no way for the developer to track that information and get you your rightful bits.

This has been going on long enough that I don't think Apple is going to do anything about it, either. I think they'd rather developers take the hit than have their customers get ugly interactions, even if they deserve it for pirating the games.

There are different sorts of IAPs. Consumables need to be bought for each device but non-consumables are recoverable to any device logged into the account. If you try to purchase them again they are free and the developer SHOULD implement a 'Restore Purchases' UI to allow you to recover them all without accidentally buying ones you don't already own.

With IAP the developer can also retrieve a receipt from the device that can be verified by Apple's servers (process different in the Mac App store). This does not apply to the original purchase of apps from the store, only in-app purchase.

You don't need to use the phone's identity for this. Force the user through a login screen on startup - if they have a paid for account, serve the requests, otherwise sever.

It's how Steam does it.

I'm not sure what you mean by "repurchase" IAPs, but the IAP API provides server-server cryptographic verification from Apple that is not crackable. Not all apps properly verify purchases, so there is mention of pirating IAPs, but done correctly they ensure that a user has paid. This developer should push a free application with a recurring IAP subscription, and somehow make users who have already paid happy.

I completely agree with you. For any service that has continuing costs, you need to find a way to have continuing revenue. A single purchase for a game that has continuing server costs is a very poorly thought out model.

What I mean by "repurchasing" IAPs: Every app I've interacted with forces you to go through the motions of purchasing IAPs when you get a new device. You aren't actually charged, since Apple knows you already bought the item.

I also fully recognize that my familiarity with these APIs is cursory at best.

I didn't look at how they make users pay but if it's not in app purchase they do not have a way to distinguish between legitimate and illegitimate users therefore they must accept all server requests or none.

That was my thought too. Nonetheless, that's a technical misfeature (they assumed the walled garden provided all the authentication they needed, and it doesn't), and technical misfeatures happen all the time. Now they have to decide whether to implement that feature or not, and that's a business decision: they know what the (legitimate) sales numbers are already. If those aren't enough to justify the cost, then it's simply not worth it and they should just shut it down.

Or, more cynically, they know they can get a bunch of press (and thus, more sales) by "shutting down" the game temporarily while they implement the authentication layer.

It would be hard to do with a paid download since AFAIK Apple does not include some sort of receipt on an app purchase. What I would have done was implement the game as free to download with an unlock IAP. With an IAP Apple returns a receipt to the client that is tied to the users account. The game server could then verify the receipt with Apple on each client connect.

This would also give the developers the ability to track the receipts and know if it had been hacked and shared. If the same receipt is being used to connect 100s of times simultaneously then it's time to ban a user. So while the IAP method isn't perfect, it would make it a lot harder for casual piracy to succeed.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact