Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When should i validate in-app purchase transaction receipt?

Tags:

I mean, should my steps be?

1) Get SKPaymentTransactionStatePurchased

2) Remove it from SKPaymentQueue and provide the content by [[SKPaymentQueue defaultQueue] finishTransaction: transaction];

3) Validate the receipt and then, if it's invalid, block the content i've just provided

Or should i change 2nd step to 3rd instead?

1) Get SKPaymentTransactionStatePurchased

2) Validate the receipt and then, if it's invalid, dont't provide content

3) Remove it from SKPaymentQueue anyway [[SKPaymentQueue defaultQueue] finishTransaction: transaction];

In first scenario user can turn the internet off right after the purchase, so i won't be able to validate the receipt. But in the second, there may occure some problems with internet between step 1 and 2, so i won't finish the transaction and won't provide the content, that would be a bad user experience.

So what way did you choose for your app and why?

My Choice

I've choosen the second scenario, since choosing the first one makes my app be easily cracked by iAP Cracker.

like image 773
Nikita Pestrov Avatar asked Apr 03 '12 04:04

Nikita Pestrov


People also ask

What is receipt validation in-app purchase?

Receipt validation is a way to protect against fraudulent in-app purchases made in the iOS and Android app stores, and is used to ensure transactions occurred as reported.

How do I validate a receipt for an in-app purchase?

Use the production URL https://buy.itunes.apple.com/verifyReceipt when your app is live in the App Store. For more information on these endpoints, see verifyReceipt. Verify your receipt first with the production URL; then verify with the sandbox URL if you receive a 21007 status code.

How long does it take for Apple to process an in-app purchase?

Helpful answers Also, remember that purchases can take 1-3 days, sometimes more, to clear with the bank. Pending means, it has not been charged to your bank account yet.


2 Answers

Scenario 2. If the internet blows up, you won't get to -finishTransaction. But that's cool, cause you can retry (NSTimer) and your app will be given the unfinished transaction on start up. And that's exactly how StoreKit is designed to work (even though it's not obvious from reading the docs).

StoreKit comes with transactions, for a good reason. The user can simply quit the app right after purchasing, and you still have to recover from that. And that's why Apple recommends to set your transaction observer as soon as possible in the app lifecycle.

Don't ever finish the transaction before providing the content, you'll have to implement your own transaction system on top of StoreKit, and you don't want to do that, believe me (I've seen it done, it was a disaster).

Edit: in all honesty, the eventually of a user turning the internet off after purchase and before you validate is ridiculously low. The guy was on they internet a second ago, nobody just goes out to cut the internet in the middle of a purchase. But it's possible that the user gets interrupted at that the moment and send your app to the background. Your app can then get killed for whatever reason iOS deems appropriate. And when you're apps starts again, well your app won't remember having a purchase to start with, and store kit won't be of big help, since you've already finished the transaction.

like image 95
kra Avatar answered Sep 21 '22 20:09

kra


This is what I do:

  1. App sends a request for the downloadable content, with receipt attached as an argument.

  2. The server validates the receipt with iTunes, and if it is valid, it returns the purchased content as the response body to the original request.

This way, even if the app binary is hacked/modified, the content is downloaded only against a valid receipt (because no modifications made on the client app can possibly interfere between my sever and Apple’s).

like image 40
Nicolas Miari Avatar answered Sep 25 '22 20:09

Nicolas Miari