Validate Receipt - Security issue

[andresmontelpare]

There are two ways to validate a receipt properly. Locally or via App Store from a server.

https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html

"Use a trusted server to communicate with the App Store. Using your own server lets you design your app to recognize and trust only your server, and lets you ensure that your server connects with the App Store server. It is not possible to build a trusted connection between a user’s device and the App Store directly because you don’t control either end of that connection."

In the way you are doing, you may have security problems.

[androidcn]

I don't have server. I using locally validation

[andresmontelpare]

As i could see, you are validating the receipt remotely, using this from the device:
case Production = "https://buy.itunes.apple.com/verifyReceipt"
case Test = "https://sandbox.itunes.apple.com/verifyReceipt"
This is not a proper way due to is not possible to build a trusted connection between a user’s device and the App Store directly because you don’t control either end of that connection.

If you would like to validate the receipt locally, you may use OpenSSL. https://www.objc.io/issues/17-security/receipt-validation/

Regards

[atljeremy]

This is definitely a security issue. I was actually just watching the WWDC video titled Using Store Kit for In-App Purchases with Swift 3. In that video, Dana, the presenter, discusses never calling the /verifyReceipt endpoint from the client and states, "... you should never send a receipt to that api from the device. That is not a secure mechanism."

There are ways to validate the receipt on the device and he discusses these in this video. The links @andresmontelpare shared are very helpful as well.

[rebeloper]

Also looking forward to local receipt verification, because for now if I want to check for an auto-renewable validation I can't do it if for ex. the user is not connected to the internet. Thanks in advance @bizz84 for the update. SwiftyStoreKit truly is the best wrapper I found.

[cherishloveyou]

@bizz84 It means InAppReceipt.base64EncodedString should public to some Guys . because they need verify receipt with server instead call local verify receipt func

[San-Jeevan]

I use a node.js server to verify every in app purchase.

Having security related background I would never consider using the app (client) to verify a receipt. Never trust the client.

To clear a misunderstanding; when Apple say "use an independent server to verify" then are not talking about direct connection to https://buy.itunes.apple.com/verifyReceipt but your own custom serevr.

App --> Server --> Apple (https://buy.itunes.apple.com/verifyReceipt)

[bizz84]

@cherishloveyou From version 0.5.4, it is now possible to get the local receipt data by calling SwiftyStoreKit.localReceiptData. See https://github.com/bizz84/SwiftyStoreKit/pull/100/files

[bizz84]

@rebeloper I opened #101 to keep track of local receipt validation.

[bizz84]

Closing this as local receipt validation is tracked here: #101