1

There is a great post on StackOverflow about implementing in-app purchases with receipt validation. However it warns not to use that code as-is for security reasons. A sentiment found in many tutorials and even the Apple documentation. For example, it mentions not to do this:

if (failedValidation) {
    exit(173);
}

That is great, but then how are you supposed to do something like this? In this example that would be verify the receipt is valid or invalid and exit when invalid.

I saw lots of lists of do's and do-not's, but not many examples or ideas on what to do instead. For example use an opague predicate, but wikipedia mentions not one concrete example.

I understand we shouldn't all be using the same code, but some pointers (or a way of thinking on this topic) would be useful. I am hoping that somebody is kind enough to handwalk beginners like me through the best practices on this. Thanks!

Community
  • 1
  • 1
user965972
  • 2,489
  • 2
  • 23
  • 39

1 Answers1

2

If you are doing receipt validation at all, you are probably ahead of the curve. If you wanted to add opaque predicates to some boilerplate code, you could do something like this:

@property (nonatomic, assign) BOOL opaque;
- (instancetype)init {
    ...
    _opaque = YES;
    ... 
}

- (BOOL)someVerifyMethod {
    if (self.opaque) {
    ...
    } else {
    // fake block
    }
}

Honestly though, you could probably wait and see if you have a real problem before fixing it -- it's a cost / benefit calculation and while everyone using the same code theoretically poses a problem, it's not clear the at risk of exploit is particularly high.

Undoubtedly opinions differ on this, but ultimately it's a business decision as much as an engineering one.

Ben Flynn
  • 18,524
  • 20
  • 97
  • 142