Menu
I mean, should my steps be?
1) Get
SKPaymentTransactionStatePurchased2) Remove it from SKPaymentQueue and provide the content by
[[SKPaymentQueue defaultQueue] finishTransaction: transaction];3) Validate the receipt and then, if it's invalid, block the content i've just provided
Or should i change 2nd step to 3rd instead?
1) Get
SKPaymentTransactionStatePurchased2) Validate the receipt and then, if it's invalid, dont't provide content
3) Remove it from
SKPaymentQueueanyway[[SKPaymentQueue defaultQueue] finishTransaction: transaction];
In first scenario user can turn the internet off right after the purchase, so i won't be able to validate the receipt. But in the second, there may occure some problems with internet between step 1 and 2, so i won't finish the transaction and won't provide the content, that would be a bad user experience.
So what way did you choose for your app and why?
My Choice
I've choosen the second scenario, since choosing the first one makes my app be easily cracked by iAP Cracker.
773
Receipt validation is a way to protect against fraudulent in-app purchases made in the iOS and Android app stores, and is used to ensure transactions occurred as reported.
Use the production URL https://buy.itunes.apple.com/verifyReceipt when your app is live in the App Store. For more information on these endpoints, see verifyReceipt. Verify your receipt first with the production URL; then verify with the sandbox URL if you receive a 21007 status code.
Helpful answers Also, remember that purchases can take 1-3 days, sometimes more, to clear with the bank. Pending means, it has not been charged to your bank account yet.
Scenario 2. If the internet blows up, you won't get to -finishTransaction. But that's cool, cause you can retry (NSTimer) and your app will be given the unfinished transaction on start up. And that's exactly how StoreKit is designed to work (even though it's not obvious from reading the docs).
StoreKit comes with transactions, for a good reason. The user can simply quit the app right after purchasing, and you still have to recover from that. And that's why Apple recommends to set your transaction observer as soon as possible in the app lifecycle.
Don't ever finish the transaction before providing the content, you'll have to implement your own transaction system on top of StoreKit, and you don't want to do that, believe me (I've seen it done, it was a disaster).
Edit: in all honesty, the eventually of a user turning the internet off after purchase and before you validate is ridiculously low. The guy was on they internet a second ago, nobody just goes out to cut the internet in the middle of a purchase. But it's possible that the user gets interrupted at that the moment and send your app to the background. Your app can then get killed for whatever reason iOS deems appropriate. And when you're apps starts again, well your app won't remember having a purchase to start with, and store kit won't be of big help, since you've already finished the transaction.
95
This is what I do:
App sends a request for the downloadable content, with receipt attached as an argument.
The server validates the receipt with iTunes, and if it is valid, it returns the purchased content as the response body to the original request.
This way, even if the app binary is hacked/modified, the content is downloaded only against a valid receipt (because no modifications made on the client app can possibly interfere between my sever and Apple’s).
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
