2

I'm using the VerificationController provided by Raywenderlich in several of my apps, and it's been fantastic. Totally reliable, easy to implement, and effective. It's been live in three of my apps for several months each.

However, two days ago, all three apps suddenly stopped working properly. Every purchase is now being flagged as invalid without exception, both for my live users and for my own test accounts. I've made no changes to the apps or their backends, in fact I've been moving apartments so I literally haven't touched them in a week or more. The change was instantaneous across all three apps, and I've understandably started getting complaints.

The problem seems to be in the checkReceiptSecurity() function (it's always returning NO when it needs to return YES for valid transactions), but the code inside that function is beyond my ability to comprehend. I'm hoping someone has encountered something like this, or perhaps is even experiencing it now, and knows a solution?

As far as I can tell, it seems to be happening on the second of these lines (VerificationController.m line 158).

require(signature_length > offsetof(struct signature_blob, certificate), outLabel);
require(signature_blob_ptr->version == 2, outLabel);
certificate_len = ntohl(signature_blob_ptr->cert_len);

Which are helpfully commented as "Make sure the signature blob is long enough to safely extract the version and cert_len fields, then perform a sanity check on the fields." When it hits the signature_blob_ptr line, it suddenly jumps to the end of the function, which I assume means that it failed a check having to do with the version number of some response from Apple?

Can anyone shed any light on what is happening? This is obviously devastating to my app portfolio, and I need to fix it immediately. I'll disable the verification temporarily and release an update if I have to, but I'd like to find a fix for whatever has changed...

Nerrolken
  • 1,975
  • 3
  • 24
  • 53
  • Have you reached a solution for this problem ? Im facing exactly the same situation... – brbgyn May 25 '16 at 00:53
  • 1
    @brbgyn I don't think there will be a solution, sadly. Based on the answer below, it looks like Apple effectively destroyed the VerificationController as a viable option. There are other ways of verifying receipts, but none as simple or straightforward as this. For now, I've just submitted updates for my apps that disabled verification, while I look for a new solution. Sorry! – Nerrolken May 28 '16 at 05:11

1 Answers1

1

Search for "receipt validation" at https://forums.developer.apple.com

Apparently, a certificate update just made VerificationController to stop working.

The obvious, but not quick at all, fix is to use the more recent receipt validation processing. See: https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html#//apple_ref/doc/uid/TP40010573-CH105-SW1

As for the code above, signature_blob_ptr->version == 3 now. But putting 3 instead of 2 in the code is not a fix as the signature is not 128 bytes long anymore.

Community
  • 1
  • 1
Francois Robert
  • 556
  • 10
  • 14
  • You mentioned that that link is NOT a quick solution. Is there something faster, a quick option that indie developers can implement while looking into this longer and better method? – Nerrolken May 21 '16 at 04:10
  • I don't know any quick solution (like a 1 day fix). This may be interesting but I have not tried it: http://stackoverflow.com/questions/19943183/a-complete-solution-to-locally-validate-an-in-app-receipts-and-bundle-receipts-o One better approach is probably to use Receigen. But it will probably take you days if not more than a week to figure all the parts to make it work correctly in your app. – Francois Robert May 21 '16 at 18:28