RORK LABJP
TOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the roundTOOLING — Rork's developer repos keep moving: rork-xcode was updated on July 16, rork-device on July 15, and rork-plist on July 13OPUS46 — Claude Opus 4.6 is live in Rork, and Rork Max is built to assemble apps on top of Claude CodeSIM — A cloud iOS simulator runs in the browser, with one click to install on a device and two clicks to publish to the App StoreMAX — Rork Max emits pure Swift rather than React Native, reaching iPhone, iPad, Apple Watch, Apple TV, Vision Pro, and even iMessageNATIVE — That opens up HealthKit, ARKit and LiDAR, NFC, Dynamic Island, Live Activities, 3D through Metal, and on-device inference with Core MLSEED — Rork raised a $15M seed led by Left Lane Capital, with Peak XV and a16z Speedrun joining the round
Articles/Dev Tools
Dev Tools/2026-04-21Advanced

Protecting Your Rork App From Fraudulent Purchases and Request Spoofing — A Complete Server-Side Validation Design With App Attest and Play Integrity

A complete walkthrough of how to protect your Rork app's revenue and API endpoints from request spoofing and IAP fraud using Apple's App Attest and Google's Play Integrity APIs, with runnable Cloudflare Workers code and StoreKit 2 JWS verification.

Rork515Security8App AttestPlay IntegrityStoreKit 216server validationindie dev29

Premium Article

About six months into the life of any paid app on the App Store or Google Play, a particular kind of support email starts showing up: "I can't purchase." You suspect your own code at first, but dig in and a non-trivial share turn out to come from clients sending doctored receipts or spoofed API requests. For an indie developer whose app has finally started to sell, leaving this unchecked quietly erodes monthly revenue.

In this article I'll walk through how I harden the API entry points of a Rork-built app using Apple's App Attest and Google's Play Integrity, with the verification layer sitting on Cloudflare Workers. This isn't a product overview — it's the exact pitfalls I ran into adding this to a subscription app, along with the code that's been running in production since.

When combined with StoreKit 2 JWS verification and Google Play Billing signature checks, you can finally assert three things from the server: that the request came from a real build of your app, from a real device, and at a rate your pricing model actually anticipated.

Why device attestation stopped being optional

Let me share a rough picture of the current state first. Even at indie scale, as long as your app is publicly listed on App Store or Play, you will see a steady trickle of the following attack patterns:

  • Fake receipts for purchase spoofing: Doctored StoreKit receipts used to unlock paid features for free. This bites hardest when receipt validation lives only on the client
  • Direct API pounding: Attackers extract your API endpoints from the binary and hit them directly with Python or Postman. This is the single biggest leak for apps that wrap an LLM
  • Feature use after IAP refunds: Users chargeback through their card issuer and then keep using the feature because the app flips a local flag
  • Bypass tooling on jailbroken devices: Small communities distribute automated bypass tools, mostly on iOS

It's tempting to assume that as a solo developer no one targets you, but mass automated scanners pick you up anyway. On my own app, moving from "no attestation" to "App Attest + Play Integrity" reduced unauthorized hits on the AI endpoint from over 7,000 per month to under 50. The integration took a day, runs at effectively zero monthly cost, and is the highest-leverage security investment I've ever made.

What App Attest and Play Integrity actually prove

It's worth clearing up what these APIs do. Both App Attest on iOS and Play Integrity on Android are there to cryptographically prove to your server:

  • App integrity: The binary being run has not been tampered with
  • Device integrity: The device is not jailbroken, rooted, or running a custom bootloader
  • Distribution authenticity: The app came from the real App Store or Play Store

They answer the question "what is calling me?" not "who is calling me?" They're orthogonal to user authentication (Clerk, Supabase Auth, and so on). Stacked together, you can finally say "the real user, on a real device, is running the real app."

App Attest returns a public-key-based attestation object. Play Integrity returns a JWE/JWS token. The formats differ, but the server-side verification flow shapes up almost identically.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
You'll finally have a complete, working pattern for integrating App Attest and Play Integrity into a Rork app — the thing most tutorials gloss over
You can now run cross-platform server-side validation on Cloudflare Workers, with real code you can drop into production today
Combined with StoreKit 2 JWS verification, you can stop the slow drain on subscription revenue that hits most indie developers after six months
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Dev Tools2026-07-11
Verifying StoreKit 2 Signed Transactions in a Cloudflare Worker
If you trust whatever the device says about its purchase state, a tampered entitlement walks right through. This walks through verifying StoreKit 2 signed transactions (JWS) in a Cloudflare Worker so you grant entitlements without trusting the client, with working code.
Dev Tools2026-07-10
Every Key You Ship Is Public: Secret Boundaries and Rotation for Rork-Generated Apps
Unzip your own .ipa, run strings, and your environment variables are right there in plain text. Here is how I sort keys into three tiers, move the dangerous ones behind an edge proxy, and keep a rotation runbook that assumes leakage.
Dev Tools2026-06-27
Before a Free Preview Walks Out via Screenshot: Detecting Screenshots and Screen Recording in Rork/Expo
How to protect paid preview images from screenshots and screen recording in a Rork/Expo app: the limits of expo-screen-capture, native isCaptured monitoring, and an iOS/Android-aware blur design.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →