iTunes in-app purchase receipt verification - obscure-JSON

Question

This question related to
AppStore in-App Purchase Receipt Verification Issues

In short - receipt data from iTunes is encoded in strange kinda-JSON format without any specifications for it. The accepted answer states that there is no need to decode it, it must be just sent to iTunes.

In my case I want decode that data to ensure that bundle_id parameter is equal to my apps bundle_id.
https://buy.itunes.apple.com/verifyReceipt method treats receipt as valid even if it was not generated for my application - so if hacker will send valid receipt from other app to my server - he well succeed.

The question is in how to do such verification properly, that additional step was certainly not intended by iTunes developers (otherwise they would not used pseudo-JSON), but nevertheless I think that it is necessary for protection from such attacks.
Any thoughts on this?

Answer 1

Gill, you should consider the receipt data that you are validating opaque and not try to interpret it. Send it to Apple's verifyReceipt service and examine the response. It will be a non-strange JSON object. If the "status" field is 0 then Apple considers it to be a valid receipt but it is up to your server app to determine if it is being used in a valid context. To do that you can examine the "receipt" object where you'll find the bundle and product IDs among a lot of other things.

If you're determined to some pre-validation of the receipt data before sending to Apple you can do that as well with some extra effort. It is a base64 encoded JSON object that contains two other base64 encoded objects one of which is receipt data as described above. The problem with this approach is the data is not intended to be examined by Apple service users so would be subject to change without notice. It can be a useful technique for debugging however.

Answer 2

If you are using iOS7, you can do receipt validation including bundle_id verification using on-device methods. Take a look at-- iOS InApp Purchase Receipt Validation iOS 7 and A complete solution to LOCALLY validate an in-app receipts and bundle receipts on iOS 7. I'm assuming you are talking about on-device validation and not using your own server to handle validation.