In-App Purchase (IAP) validation is a process in which Singular evaluates revenue events in your apps (both Android and iOS) and detects invalid/fraudulent user purchases so that they do not skew your revenue metrics.
For more about setting up events in your SDK integration, see the appropriate SDK guide and Testing Events and Revenue.
Invalid purchases are usually caused by the following types of fraud:
User fraud: Real users hack/fool the app to get IAP-based favors/items without paying for them.
Marketing fraud: Fraudulent publishers send fake revenue events to boost their KPIs and make it seem like they bring in quality users.
Google Play and the Apple App Store generate digital receipts when users make financial transactions through Android and iOS apps. Each receipt encodes the details of the purchase and is cryptographically signed by Google/Apple.
You can send the purchase receipt to Singular alongside your revenue events, allowing Singular to verify the legitimacy of the purchase.
When Singular gets a revenue event with a receipt, it checks the following:
- Singular received a receipt.
- The receipt wasn't reused (i.e., sent in a past transaction).
- The signature on the receipt is valid.
- In iOS, Singular verifies the signature using Apple's certificate.
- In Android, Singular uses the app's licensing key, if it has been provided.
- The receipt details match the app and transaction details
If Singular finds that the revenue event is invalid, it is renamed to __iapinvalid__.
Note: To help make the process even more secure, you can provide the following:
- Android Licensing Key: Allows Singular to verify receipts cryptographically in Android. For more information, see Adding Your Google Play Licensing Key.
- The product SKU identifier and the transaction identifier. For more information, see the SDK documentation (Unity, React Native, Android, iOS) or S2S documentation
To send purchase receipts, use the correct IAP reporting method according to your platform and integration type:
Missing receipts may indicate fraudulent revenue.
Once you have a version of your app that sends receipts to Singular for every purchase, and that new version is live in the app store, all new events (from this version and onwards) should have receipts included.
To have Singular reject revenue from any purchase that doesn't come with a receipt, enable the Reject IAP Without Receipt option for your app on the Apps page.
Note: Revenue from users who installed or updated the app before enabling this option will not be rejected. The exact date is shown next to the toggle.
Once purchase validation is enabled, only valid revenue will be shown in the Revenue field in reporting.
The following fields appear in the logs for both Event and Postback types:
|Field||What to Look For|
|Event name||If the receipt is invalid, the event’s name is __iapinvalid__.|
|Event revenue||If the receipt is invalid, the event’s revenue is 0.|
|Received revenue event||The original event name.|
|Received revenue||The original claimed revenue.|
|Is revenue receipt included||Whether a receipt was provided for the purchase.|
|Is revenue valid||Whether the purchase was found to be valid.|
Internal BI Postbacks
Singular sends the following parameters:
|Parameter||What to Look For|
|event_name||If the receipt is invalid, the event’s name is __iapinvalid__.|
|amount||if the receipt is invalid, the event’s revenue is 0.|
|received_revenue_event||The original event name.|
|received_revenue||The original claimed revenue.|
|purchase_receipt_included||Whether a receipt was provided for the purchase.|
|purchase_receipt_valid||Whether the purchase was found to be valid.|
To configure custom postbacks, see the Event Macros section in Postback Macros & Passthrough Parameters.
Note: If you want to receive postbacks for rejected revenue, you can configure postbacks for the __iapinvalid__ event