Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AppStore in-App Purchase Receipt Verification Issues

I know there have been quite a few posts on this but none seem to address the issues we're running into. So far I think I have everything setup correctly as specified in the iOS Reference Library Verifying Store Receipts documentation. However we're receiving a 21002 "java.lang.NullPointerException" during our POST request to the AppStore verification URL so I must be doing something wrong.

Some issues I've noticed that might be causing this:

1) RECEIPT AMBIGUITY

The documentation states that our iPhone App should be passing just the receipt to our server for verification but doesn't state exactly what the receipt is. At first I thought it might be the entire JSON object below but now I'm wondering if the receipt is just the "purchase-info" field.

Encoded Receipt
ewoJInNpZ25hdHVyZSIgPSAiQWx1SFVsb0dxejZjOVNvSlFVejF0OThhemI2WjJCb2N3WVBhK2ZVYllmdUI5ZE5RQkViV2dTNXVIUUluakdSQ2RScVkxUHhQY2cvMk1kSVlONEN2anc0RkNuc0JqT0d2NGFqNjVBczQ2SERseGd4WjdlTElGUXcrcG9QVlpTZHlEWWF6NHBPaGxxNVBmVXNqdmlZNENYd3VaQzkrSTBHdk55bVZWNkhnR2FCRUFBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURXpNREVHQTFVRUF3d3FRWEJ3YkdVZ2FWUjFibVZ6SUZOMGIzSmxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1CNFhEVEE1TURZeE5USXlNRFUxTmxvWERURTBNRFl4TkRJeU1EVTFObG93WkRFak1DRUdBMVVFQXd3YVVIVnlZMmhoYzJWU1pXTmxhWEIwUTJWeWRHbG1hV05oZEdVeEd6QVpCZ05WQkFzTUVrRndjR3hsSUdsVWRXNWxjeUJUZEc5eVpURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFNclJqRjJjdDRJclNkaVRDaGFJMGc4cHd2L2NtSHM4cC9Sd1YvcnQvOTFYS1ZoTmw0WElCaW1LalFRTmZnSHNEczZ5anUrK0RyS0pFN3VLc3BoTWRkS1lmRkU1ckdYc0FkQkVqQndSSXhleFRldngzSExFRkdBdDFtb0t4NTA5ZGh4dGlJZERnSnYyWWFWczQ5QjB1SnZOZHk2U01xTk5MSHNETHpEUzlvWkhBZ01CQUFHamNqQndNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVOaDNvNHAyQzBnRVl0VEpyRHRkREM1RllRem93RGdZRFZSMFBBUUgvQkFRREFnZUFNQjBHQTFVZERnUVdCQlNwZzRQeUdVakZQaEpYQ0JUTXphTittVjhrOVRBUUJnb3Foa2lHOTJOa0JnVUJCQUlGQURBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUVhU2JQanRtTjRDL0lCM1FFcEszMlJ4YWNDRFhkVlhBZVZSZVM1RmFaeGMrdDg4cFFQOTNCaUF4dmRXLzNlVFNNR1k1RmJlQVlMM2V0cVA1Z204d3JGb2pYMGlreVZSU3RRKy9BUTBLRWp0cUIwN2tMczlRVWU4Y3pSOFVHZmRNMUV1bVYvVWd2RGQ0TndOWXhMUU1nNFdUUWZna1FRVnk4R1had1ZIZ2JFL1VDNlk3MDUzcEdYQms1MU5QTTN3b3hoZDNnU1JMdlhqK2xvSHNTdGNURXFlOXBCRHBtRzUrc2s0dHcrR0szR01lRU41LytlMVFUOW5wL0tsMW5qK2FCdzdDMHhzeTBiRm5hQWQxY1NTNnhkb3J5L0NVdk02Z3RLc21uT09kcVRlc2JwMGJzOHNuNldxczBDOWRnY3hSSHVPTVoydG04bnBMVW03YXJnT1N6UT09IjsKCSJwdXJjaGFzZS1pbmZvIiA9ICJld29KSW1sMFpXMHRhV1FpSUQwZ0lqUXlORGMwTWpVeE1DSTdDZ2tpYjNKcFoybHVZV3d0ZEhKaGJuTmhZM1JwYjI0dGFXUWlJRDBnSWpFd01EQXdNREF3TURFMk1qUTRNVEFpT3dvSkluQjFjbU5vWVhObExXUmhkR1VpSUQwZ0lqSXdNVEV0TURNdE1EZ2dNREk2TkRRNk16Y2dSWFJqTDBkTlZDSTdDZ2tpY0hKdlpIVmpkQzFwWkNJZ1BTQWlZMjl0TG1OdmJYQmhibmt1UVhCd1RtRnRaUzR4TURBd01EQWlPd29KSW5SeVlXNXpZV04wYVc5dUxXbGtJaUE5SUNJeE1EQXdNREF3TURBeE5qSTBPREV3SWpzS0NTSnhkV0Z1ZEdsMGVTSWdQU0FpTVNJN0Nna2liM0pwWjJsdVlXd3RjSFZ5WTJoaGMyVXRaR0YwWlNJZ1BTQWlNakF4TVMwd015MHdPQ0F3TWpvME5Eb3pOeUJGZEdNdlIwMVVJanNLQ1NKaWFXUWlJRDBnSW1OdmJTNWpiMjF3WVc1NUxrRndjRTVoYldVaU93b0pJbUoyY25NaUlEMGdJakV1TUM0eElqc0tmUT09IjsKCSJwb2QiID0gIjEwMCI7Cgkic2lnbmluZy1zdGF0dXMiID0gIjAiOwp9

Decoded Receipt
{
    "signature" = "AluHUloGqz6c9SoJQUz1t98azb6Z2BocwYPa+fUbYfuB9dNQBEbWgS5uHQInjGRCdRqY1PxPcg/2MdIYN4Cvjw4FCnsBjOGv4aj65As46HDlxgxZ7eLIFQw+poPVZSdyDYaz4pOhlq5PfUsjviY4CXwuZC9+I0GvNymVV6HgGaBEAAADVzCCA1MwggI7oAMCAQICCGUUkU3ZWAS1MA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAwwqQXBwbGUgaVR1bmVzIFN0b3JlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA5MDYxNTIyMDU1NloXDTE0MDYxNDIyMDU1NlowZDEjMCEGA1UEAwwaUHVyY2hhc2VSZWNlaXB0Q2VydGlmaWNhdGUxGzAZBgNVBAsMEkFwcGxlIGlUdW5lcyBTdG9yZTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrRjF2ct4IrSdiTChaI0g8pwv/cmHs8p/RwV/rt/91XKVhNl4XIBimKjQQNfgHsDs6yju++DrKJE7uKsphMddKYfFE5rGXsAdBEjBwRIxexTevx3HLEFGAt1moKx509dhxtiIdDgJv2YaVs49B0uJvNdy6SMqNNLHsDLzDS9oZHAgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNh3o4p2C0gEYtTJrDtdDC5FYQzowDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSpg4PyGUjFPhJXCBTMzaN+mV8k9TAQBgoqhkiG92NkBgUBBAIFADANBgkqhkiG9w0BAQUFAAOCAQEAEaSbPjtmN4C/IB3QEpK32RxacCDXdVXAeVReS5FaZxc+t88pQP93BiAxvdW/3eTSMGY5FbeAYL3etqP5gm8wrFojX0ikyVRStQ+/AQ0KEjtqB07kLs9QUe8czR8UGfdM1EumV/UgvDd4NwNYxLQMg4WTQfgkQQVy8GXZwVHgbE/UC6Y7053pGXBk51NPM3woxhd3gSRLvXj+loHsStcTEqe9pBDpmG5+sk4tw+GK3GMeEN5/+e1QT9np/Kl1nj+aBw7C0xsy0bFnaAd1cSS6xdory/CUvM6gtKsmnOOdqTesbp0bs8sn6Wqs0C9dgcxRHuOMZ2tm8npLUm7argOSzQ==";
    "purchase-info" = "ewoJIml0ZW0taWQiID0gIjQyNDc0MjUxMCI7Cgkib3JpZ2luYWwtdHJhbnNhY3Rpb24taWQiID0gIjEwMDAwMDAwMDE2MjQ4MTAiOwoJInB1cmNoYXNlLWRhdGUiID0gIjIwMTEtMDMtMDggMDI6NDQ6MzcgRXRjL0dNVCI7CgkicHJvZHVjdC1pZCIgPSAiY29tLmNvbXBhbnkuQXBwTmFtZS4xMDAwMDAiOwoJInRyYW5zYWN0aW9uLWlkIiA9ICIxMDAwMDAwMDAxNjI0ODEwIjsKCSJxdWFudGl0eSIgPSAiMSI7Cgkib3JpZ2luYWwtcHVyY2hhc2UtZGF0ZSIgPSAiMjAxMS0wMy0wOCAwMjo0NDozNyBFdGMvR01UIjsKCSJiaWQiID0gImNvbS5jb21wYW55LkFwcE5hbWUiOwoJImJ2cnMiID0gIjEuMC4xIjsKfQ==";
    "pod" = "100";
    "signing-status" = "0";
}

2) INVALID JSON

The data is encoded in base64 and once decoded is supposed to provide the information in a valid JSON object but from what I'm seeing the objects are definitately not valid JSON. Apple appears to be using "=" where ":" should be and ";" where "," should be:

{
    "item-id" = "424742510";
    "original-transaction-id" = "1000000001624810";
    "purchase-date" = "2011-03-08 02:44:37 Etc/GMT";
    "product-id" = "com.company.AppName.100000";
    "transaction-id" = "1000000001624810";
    "quantity" = "1";
    "original-purchase-date" = "2011-03-08 02:44:37 Etc/GMT";
    "bid" = "com.company.AppName";
    "bvrs" = "1.0.1";
}

I'm wondering if one reason why we're receiving an error might be because the receipt they are providing isn't valid JSON so when we post the data for verification the server is rejecting it. Should we be decoding everything, fixing the object to be valid JSON, re-encoding it, and then submitting it to Apple for verification?

I'm hoping that someone else out there who has this working can point me in the right direction on the two questions above or better yet provide the the right CURL call that receives a valid response which would completely solve my problems.

Thanks in advance for your help!

like image 930
Russell C. Avatar asked Mar 09 '11 00:03

Russell C.


People also ask

How do I validate a receipt for an in-app purchase?

Use the production URL https://buy.itunes.apple.com/verifyReceipt when your app is live in the App Store. For more information on these endpoints, see verifyReceipt. Verify your receipt first with the production URL; then verify with the sandbox URL if you receive a 21007 status code.

Does Apple email the receipts of in-app purchases?

Apple will never include an attachment of any kind in an email receipt for a purchase. If you check your Apple ID purchase history and none of the apps from the emails appear, its very likely they are scams. I can send you the emails if you'd like.

How long does it take Apple to review in-app purchases?

On average, 90% of submissions are reviewed in less than 24 hours. You'll be notified by email of status changes. You can also check the review status of your submission in the My Apps section of App Store Connect or on the App Store Connect app for iPhone and iPad.

What is receipt validation in-app purchase?

The receipt validation flow is as follows: The user performs an in-app purchase. The app store notifies the app of the successful purchase. The app developer calls the SDK Receipt Validation function.


2 Answers

If I read the documentation correctly, you're on the wrong track. The receipt that you send for verification is that chunk of data returned by the transactionReceipt property. You shouldn't care what it decodes to, or if it decodes to anything at all. You just base64-encode it, put it into a json object as the value for a key "receipt-data", and post that json object to Apple.

When you get the response back from Apple, that is what is supposed to contain the receipt data in json format.

like image 128
Anomie Avatar answered Sep 19 '22 08:09

Anomie


For anyone else in the future getting the 21002 error. It took a few hours to figure what was going wrong. It generally means that the base 64 encoded string within the JSON you send to Apple's servers is incorrect. This probably means that you're not Base-64 encoding or that your encoding routine is buggy. These are the steps you should use:

1) Base-64 encode all the NSData you receive from the transactionReceipt property of your SKPaymentTransaction object into a NSString object. You can use the method below.

2) Insert that into a JSON string. In objective-C code it would be:

NSString* json = [NSString stringWithFormat:@"{ 'receipt-data' : '%@' }", base64String];

3) HTTP POST that

4) You will get a JSON string back - extract the value for 'status'. If it is 0 your receipt has been confirmed - otherwise it is an unverified purchase.

Below is the code I use to convert the NSData to a Base-64 encoded string:

@interface NSData (Base64Encoding)

- (NSString*)base64Encode;

@end

@implementation NSData (Base64Encoding)

- (NSString*)base64Encode
{
    static char table [] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

    NSInteger length = [self length];
    NSMutableData* data = [NSMutableData dataWithLength:((length + 2) / 3) * 4];
    uint8_t* input = (uint8_t*)[self bytes];
    uint8_t* output = (uint8_t*)data.mutableBytes;

    for (NSInteger i = 0; i < length; i += 3)
    {
        NSInteger value = 0;
        for (NSInteger j = i; j < (i + 3); ++j)
        {
            value <<= 8;

            if (j < length)
            {
                value |= (0xff & input[j]);
            }
        }

        NSInteger index = (i / 3) * 4;
        output[index + 0] =                    table[(value >> 18) & 0x3f];
        output[index + 1] =                    table[(value >> 12) & 0x3f];
        output[index + 2] = (i + 1) < length ? table[(value >> 6) & 0x3f] : '=';
        output[index + 3] = (i + 2) < length ? table[(value >> 0) & 0x3f] : '=';
    }

    return [[[NSString alloc] initWithData:data encoding:NSASCIIStringEncoding] autorelease];
}

@end

To use it just do something like:

NSString* base64string = [transaction.transactionReceipt base64Encode];
like image 24
Cthutu Avatar answered Sep 22 '22 08:09

Cthutu