In-App Purchases: Receipt Validation Tutorial

In this tutorial, you’ll learn how receipts for In-App Purchases work and how to validate them to ensure your users have paid for the goodies you give them. By Bill Morefield.

Leave a rating/review
Download materials
Save for later
Share
You are currently viewing page 4 of 4 of this article. Click here to view the first page.

Running the App

Run the app. You must run this project on a real device. Store related code won't work in the simulator. You'll also need a sandbox account set-up as described in In-App Purchase Tutorial: Getting Started. In an App Store purchased app, a receipt would be present. But when testing from XCode, you'll need to refresh to get a receipt. The tutorial app already does this. You'll need to log in. The app will then use the code from this tutorial to verify the receipt and display the information from it.

Once you've done this, add in-app purchases as described in the IAP tutorial. Make sure to also update ViewController.swift with the product identifiers. Use the Buy IAP button and a sandbox account. You'll see that the table view lists these in-app purchases. Also try consumable purchases, and note how they disappear after you refresh the receipt.

Protecting Receipt Validation Code

Attackers will work to bypass your receipt validation code. Using this or any other receipt validation code without change incurs risk. If an attacker can bypass the check in one app that uses this exact code, the attacker can more easily repeat the process for another app with the same code. For a high value or high profile app, you'll want to make modifications to the code of this tutorial while keeping the same work.

To defend against bypassing the validation process, you can perform the validation repeatedly instead of just once. Avoiding explicit error messages such as "Receipt Validation Failed" makes the attacker's job more difficult. Placing failure code in a section of your app away from the validation check also makes the attacker's job more difficult.

In the end, you will need to balance the risks of unauthorized access to your app against the extra time and complexity the additional obfuscation of the code adds to your development process.

Where to Go From Here?

You can download the completed project using the Download Materials button at the top or bottom of the tutorial. Use the provided code as a start to implement receipt validation in your own app projects.

Apple's Receipt Validation Programming Guide offers the best documentation on receipts, along with a WWDC 2014 session on Preventing Unauthorized Purchases with Receipts. Both discuss the server validation method not addressed in this tutorial. A session from WWDC 2016, Using Store Kit for In-App Purchases with Swift 3, also discusses receipts especially related to subscriptions.

And for more about In-App Purchases, see In-App Purchase Tutorial: Getting Started.