Bad actor sending request every 11 sec, then dc'ing

I have a problem with the way my server works.

My endpoints proxy production iOS app requests to OpenAI using RevenueCat keys as authentication. The backend auths users by forwarding the client RCAnonymousID to RC to verify entitlements before sending the request on to OpenAI and streaming responses back.

In my app there is a free usages feature whereby any user can “try out” the app before purchasing the Premium subscription. So each anonymous ID is allowed 10 free uses on the endpoint before the requests are rejected.

Somebody has reverse-engineered this feature by generating random RCAnonymousIDs and sending a new request every 11 seconds, but disconnecting before waiting for a response. This is driving up my usage and filling my sqlite with thousands of fake users each with only 1 usage. I can play whack-a-mole by only allowing certain OpenAI endpoints through and rejecting all others but this feels like more of a band-aid than an actual solution. I need some way to only let my app requests through and reject all others. Ugh. Maybe it would be easier to get rid of the free feature entirely.

I’m lost and hoping to find some direction on this forum.

Haven’t used these, but I think you’ll need to look into something like DeviceCheck or App Attest to validate traffic between your app and the server. Might have better luck in iOS community asking for best methods to restrict your server to only handling valid requests from your app.

Thanks, I think this is the correct approach too. I’m not a network security engineer I just wish these Apple APIs were a little easier to understand. It seems that there’s no other way to fix my problem

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.