4

I've read Apple's documentaion a few times now and I didn't really get much smarter from it. So I hope somebody here knows how to deal with receipt validation:

I know there was a problem pre iOS 6. But is Receipt Validation needed nowadays on iOS 7? Does it really add extra security? It seems like it can cause problems if Apple changes the format of their receipts (parsing them on device).

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Max
  • 2,699
  • 2
  • 27
  • 50
  • See https://github.com/rmaddy/VerifyStoreReceiptiOS – rmaddy Oct 27 '13 at 05:37
  • So I guess with this you want to say that it's still necessary to do it since you developed a Framework for doing so yourself? – Max Oct 27 '13 at 09:52
  • @rmaddy - understanding how to use your github verifyStoreReceiptiOS seems impossible, having in mind all variations (inApps and bundle verification). You don't explain how to use Apple Root certificate, and the steps involved. Sorry, but your docs are vague as hell. :-/ – Duck Nov 11 '13 at 23:29
  • @RubberDuck The docs are vague for a reason. If it was clearly documented everyone would just implement it exactly the same and the hackers would easily make it useless. By making everyone figure out their own final details, it makes it safer for everyone. The class I posted solves 90% of the effort involved. – rmaddy Nov 11 '13 at 23:33
  • 2
    @rmaddy. Sorry, I understand that crackers would be pleased if everybody uses the same method, but you can put one method as an example and say: these are the steps you have to follow to validate a bundle. These are the steps you have to follow to validate an iapp. This is what is done by this and this methods. Now go create your own methods. No explanation is given about anything. You have to figure out what to do and how todo. I am sure the what to do is the same for every person who implements the verifying. The only thing they have to change is the how. – Duck Nov 11 '13 at 23:37
  • ... (cont)... what I am complaining is the lack of "what do to". – Duck Nov 11 '13 at 23:39
  • I still don't know how exactly I can handle it, so I have to agree with RubberDuck :/ – Max Nov 14 '13 at 01:08

2 Answers2

3

In what I've seen, iOS7 doesn't change the need for whether or not you should do receipt validation, just how receipt validation is possible. iOS7 has enabled receipt validation on the device (e.g., see link from https://stackoverflow.com/users/1226963/rmaddy above, and see A complete solution to LOCALLY validate an in-app receipts and bundle receipts on iOS 7).

Does on-device receipt validation add extra security? It seems to me that it does. It gives you one more tool with which to secure your purchases. In my app (yet to be released), I want to support iOS6 and iOS7 so I decided to have a back-end server to do receipt validation for the iOS6 case. And since I have that server in place, for iOS7 receipts, I do on-device validation first and if that succeeds, I do server validation as a second check.

Whether or not you do receipt validation (in iOS5, iOS6, iOS7 etc) really depends on how much your security means to you. If you don't have much in the way of security needs, then why spend much time on security. If you do, then do more.

What if Apple changes the format of the receipts? Well, of course, this can and likely will happen. Given that the iOS6 to iOS7 change restructured receipts and in-app purchases considerably, it seems we should expect iOS8 to do so again. That's the future. Deal with what we have now.

Community
  • 1
  • 1
Chris Prince
  • 7,288
  • 2
  • 48
  • 66
  • For iOS 7, how can you check server-side if a specific IAP is valid? Is there some php basic code to look through? I'm struggling with this problem right now... :/ – Vrasidas Dec 30 '13 at 07:30
  • What I'm scared of is that it could happen that the user purchases something but the receipt validation fails (for whatever reason). So in this case the user gets nothing but was charged right? How to prevent that? – Max Feb 05 '14 at 00:23
  • 1
    I'm wondering about this too. For iOS7, after doing an on-device receipt validation and having the validation fail, Apple recommends that you refresh the receipt (SKReceiptRefreshRequest), and then try validation again. Now, if validation fails after refreshing, what to do? In my code (not on the app store yet), I ask the user to contact customer support (i.e., me). As for server side validation failing (e.g., iOS6), well, doesn't seem much we can do in that case... I'm open to suggestions though! – Chris Prince Feb 06 '14 at 17:57
0

Receipt validation is not required, but needed in these cases:

  • In case of auto-renewable subscriptions when a purchase has just been made – to get an expiration date.
  • When restoring in-app purchases. If user has reinstalled the app or launched it from a new device, you must provide a mechanism to restore his purchases and give access to features he already paid for.
  • A couple of years ago, when jailbreak was commonly used, developers used to validate receipts to verify that payment wasn’t hacked – I believe those days are gone now, and it’s not so necessary anymore.

Here is a complete FAQ about App Store receipt validation from our blog:

https://blog.apphud.com/receipt-validation/

apphud
  • 625
  • 4
  • 8