Apple In-App-Purchase receipt verification

2
votes

A client application successfully performs an in-app-purchase and receives a receipt from iTunes. The client then sends this receipt to the server, which verifies it with Apple and, if successful, unlocks some content for the client.

Is it possible to insert extra data in the IAP purchase request such that the receipt or the receipt validation contains this value?

A receipt to help explain

I'm trying to prevent a man-in-the-middle/packet-sniffing type hack i.e. If someone was to discover another person's receipt and validate it against my server, how is the server to know that this receipt wasn't generated by this, the validating person?

From Apple's IAP documentation there are a number of values returns in the validation response. Is it possible that I could use version_external_identifier value? What is it's use or value?

Thanks

1
iossecurityin-app-purchase

1 Answers

0
votes

version_external_identifier An arbitrary number that uniquely identifies a revision of your application. This key is missing in receipts created by the sandbox.

That really answers your question; its a way to determine what revision of your application made the purchase. You can have the same version number, but multiple revisions, and this allows for that and IAP.

Is it possible to insert extra data in the IAP purchase request such that the receipt or the receipt validation contains this value?

Ultimately, no. Apple have control of the receipt, and its contents. If you follow the guidelines in the documentation (see this for more info along with the link you posted), you will be ok against a man in the middle attack (Apple would have considered this). Make sure connections to your server and to Apple are HTTPS.

A man in the middle to make a purchase on someones behalf is slightly moot anyway; the purchase request is tied to an Apple ID, meaning the man-in-the-middle would need to know their credentials.