I’m trying to figure out if there’s a way to add an additional layer of security to apps. I’ve built an app that has free content and VIP content that comes at an added cost. While playing with the app last night, a buddy and I figured out that if one VIP user chooses to share his app credentials (email address + pin code), the VIP user AND anyone else can access VIP content at the same time. Here’s how I have things set up and how we discovered the loophole in the system:
- Users purchases VIP access and email is added to “Whitelist Email” list for app
- VIP user attempts to log into the app and is automatically sent a unique pin code
- VIP user fetches pin code and is then granted access into the app
VIP user then tells friends and family that they can have access too via his/her email
- VIP user shares email address to friend
- Friend attempts to log into the app, triggering another pin code to the VIP user email
- VIP user fetches the pin code and shares it with his/her friend
- Friend then enters pin code and is granted access into the app
- VIP user repeats same process with as many people as he/she wishes
- Now that friends and family have successfully logged in, they have access for life
There must be a way to stop this, right? I was thinking that if the app back end recognizes “User 1” logs in via a device or ip address and then “User 2” logs in simultaneously under the same email on a different device or ip address, perhaps the system could boot “User 1” off and only allow one device or ip address to be using the app at any given time.
Any thoughts on what I could do? This problem poses a legitimate threat to the profitability of my app. Any help is appreciated. Thanks!