After successful purchase I save receipt+transactionID into NSUserDefaults
. Same information is sent to server to keep a record.
Later(on demand) when user want to download content from my own server, my app will send receipt+transactionID to server. It will find stored receipt by transaction ID sent from app, verify both stored and new receipts with Apple. If some of the keys matched then provide downloadable content.
However, nowadays it's not hard to get hold of NSUserDefaults
and extract receipt+transactionID. Even if I place information in keychain, it's possible to capture receipt from internet connection.
Now if someone will have receipt+transactionID, can send a request to my server and get content from any PC. How can I patch this logic without using cryptography?