In App Purchase: Is it compulsory to verifying store receipts?

Discussion in 'iOS Programming' started by cthesky, Jan 8, 2013.

  1. cthesky macrumors member

    Aug 21, 2011
    Hi all,

    I have implement In-App Purchase in my application. I am using the build-in product model to deliver the product. So, is it compulsory or necessary for an application to perform the step of verifying that the receipt I received from Store Kit came from Apple? If it is necessary to verify the store receipt, am I need to do this through an external server? Can it be done through the IOS devices?

    Any comments and suggestions are welcome. Thanks a lot. :)
  2. Carob, Jan 8, 2013
    Last edited: Jan 8, 2013

    Carob macrumors newbie

    Apr 19, 2012
    Verifying receipts is recommended as a best practice by Apple to ensure your transactions are secure against certain hacks that attempt to bypass the payment process. You may recall recently there was news that a Russian hacker had figured out how to redirect purchase requests to his server instead of through the App Store (non-jailbroken phones even); effectively he'd return a success message back to the purchasing app along with a transaction receipt. Apps that correctly verified those transaction receipts on their own server were generally not susceptible to this hack. Apple has since made changes in iOS 6 to block that hack, but verifying receipts is still recommended for older OS versions or future similar hacks.

    While verifying receipts on a external server is still regarded as the best security practice, Apple also released some source code you can find in their developer portal called VerificationController that allows you to securely verify receipts from a device without the need for an external server. You'll probably want to read up about VerificationController on Apple's Developer Forum since users over there have made changes to that code to make it easier to incorporate into their projects.

    Verifying receipts isn't compulsory, though it is necessary if you don't want to make your app susceptible to similar exploits that have already been used against App Store apps.
  3. firewood macrumors 604

    Jul 29, 2003
    Silicon Valley
    Nothing is compulsory. For instance if your IAP feature doesn't cost you, and you don't mind potentially large numbers of users unlocking your IAP product using copied or forged receipts, or if the item isn't worth stealing. For instance, there's a free app that has a IAP to get a "Thanks for donating!" badge.

Share This Page