What is the purpose of validting an In App Purchase receipt?

Question

I have implemented the purchasing of SKProducts and so does its validation from app store but i am not sure what this validation is done for. Apple docs says:

The receipt for an application or in-app purchase is a record of the sale of the application and of any in-app purchases made from within the application. You can add receipt validation code to your application to prevent unauthorized copies of your application from running.

Does this mean price of an in app purchase cannot be claimed without validating the in app purchase receipt? Or it is associated with authenticity of the app?

Answer 1

@Paulw11 correctly commented, "bad people who may hack your app or their device in order to fraudulently active in-app purchases", but let me elaborate.

The simplest example of fraudulent purchases can be found on any jailbroken iOS devices where a user has installed a Cydia app called iAP Cracker. This lets users bypass the iTunes app store to make in-app purchases, and thus getting the purchase for free.

The assumption iAP Cracker makes is that your app is not validating the receipt and so, provides a fake receipt in place of a real one.

There are two methods of validating a receipt: locally and remotely.

Locally validating the receipts can ensure the GUID, bundleId and an opaque value that apple provides with the receipt match the signature that is also provided with the receipt.

Fraudulent purchases often employ repeat attacks which use either use a valid receipt from your app but from some other user at some other date. In this case the bundleId will match but the GUID will not. Or a receipt from a completely different app, for instance, I often see receipts that have come from Angry Birds but have no relation to my app. So in those cases the bundleId and the GUID are incorrect so the signature will not match.

Receipts are also signed with Apple's private RSA key, meaning that if an attack with a generated receipt is made the PKCS #7 container signature will be invalid.

As for Validating receipts remotely, you can send the Base64 encoded receipt to Apple's servers for validation. You will most likely do this in a server-side environment. When Apple receives the receipt it will validate PKCS #7 and the bundleId, if the bundleId is not one of your own it will fail, but it is important to note it has no capability of validating the GUID.

Remote validating does however, have the added benefit of providing additional information, such as renewals and cancelations that were made for a auto-renewing subscription purchase, which is handy if you need to make an association of subscriptions to users in your own database.

For the best possible security, it is wise to establish receipt validation locally and remotely. Hackers will hack and they probably will find ways around local validation in the future, but the attack vector on remote validation will remain quite small.

Do not underestimate how often fraudulent purchases happen, I see have fraud rates of up to 30% on iOS and up to 80% on Android. Source: I am an in-app purchase consultant.