Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS In App Purchase: Is it compulsory to verifying store receipts?

C

cthesky

macrumors member
Original poster
Aug 21, 2011
91
0
Hi all,

I have implement In-App Purchase in my application. I am using the build-in product model to deliver the product. So, is it compulsory or necessary for an application to perform the step of verifying that the receipt I received from Store Kit came from Apple? If it is necessary to verify the store receipt, am I need to do this through an external server? Can it be done through the IOS devices?

Any comments and suggestions are welcome. Thanks a lot. :)
 
cthesky said:
Hi all,

I have implement In-App Purchase in my application. I am using the build-in product model to deliver the product. So, is it compulsory or necessary for an application to perform the step of verifying that the receipt I received from Store Kit came from Apple? If it is necessary to verify the store receipt, am I need to do this through an external server? Can it be done through the IOS devices?

Any comments and suggestions are welcome. Thanks a lot. :)
Click to expand...

Verifying receipts is recommended as a best practice by Apple to ensure your transactions are secure against certain hacks that attempt to bypass the payment process. You may recall recently there was news that a Russian hacker had figured out how to redirect purchase requests to his server instead of through the App Store (non-jailbroken phones even); effectively he'd return a success message back to the purchasing app along with a transaction receipt. Apps that correctly verified those transaction receipts on their own server were generally not susceptible to this hack. Apple has since made changes in iOS 6 to block that hack, but verifying receipts is still recommended for older OS versions or future similar hacks.

While verifying receipts on a external server is still regarded as the best security practice, Apple also released some source code you can find in their developer portal called VerificationController that allows you to securely verify receipts from a device without the need for an external server. You'll probably want to read up about VerificationController on Apple's Developer Forum since users over there have made changes to that code to make it easier to incorporate into their projects.

Verifying receipts isn't compulsory, though it is necessary if you don't want to make your app susceptible to similar exploits that have already been used against App Store apps.
 
Last edited:
Nothing is compulsory. For instance if your IAP feature doesn't cost you, and you don't mind potentially large numbers of users unlocking your IAP product using copied or forged receipts, or if the item isn't worth stealing. For instance, there's a free app that has a IAP to get a "Thanks for donating!" badge.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back