Validating iOS in-app-purchases using my own server

Question

I want to validate iOS in-app-purchases using my own server. The iOS app will talk to my server which in turn will talk to Apple's server to determine if the IAP is valid. I'm fairly new to networking so I have a basic question: How can I make sure my iOS app is talking to my server securely?

I imagine the app will talk over https but I don't know how this works. Any advice on setting up https communication between the two (or alternate methods of secure communication) are greatly appreciated!

Answer 1

Sorry about the previous answer... I misread your question. You can have your server send a POST request to Apple's server, then parse the response.

https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html

Answer 2

Lawson has a point. You can't make your server perform the purchases directly at the AppStore. That has to be performed by your app.

It should request the available product identifiers from your server and then send an SKProductsRequest to the AppStore. If required it processes the purchase over the app store and tells your own server about it by sending a so called receipt. The server can validate the receipt directly at the AppStore. But that is the only thing the server can do it self at the AppStore.

You can read more about it here: Overview of In-App Purchase: Server Product Model

As for the connection between your app and your server, I don't think you have much of a (reasonable) choice but to use SSL. Almost anything more secure would require a PKI.