-
Notifications
You must be signed in to change notification settings - Fork 451
Receipt verification
RMStore doesn't perform receipt verification by default but provides reference implementations. You can implement your own custom verification or use the reference verificators provided by the library.
#Reference verificators
RMStore provides receipt verification via RMStoreAppReceiptVerificator (for iOS 7 or higher) and RMStoreTransactionReceiptVerificator (for iOS 6 or lower).
Neither is intended as a fail-proof solution and, if security is a real concern, you might want to avoid using an open source implementation for your receipt verification code. That said, the reference verificators should provide a good starting point for your own implementation.
##RMStoreAppReceiptVerificator
RMStoreAppReceiptVerificator is the reference implementation for local app receipt verification in iOS 7. It uses OpenSSL to extract the receipt in ASN1 from the PKCS #7 container and then parse the ASN1 data into an object.
OpenSSL is a well-known C cryptography library. Unfortunately there are no official builds for iOS.
RMStore includes binaries and headers for the latest OpenSSL version at the time of writing RMStoreAppReceiptVerificator. However, you might want to build OpenSSL yourself. See https://github.com/x2on/OpenSSL-for-iPhone for a build script.
After building OpenSSL you will need to add it as a static library:
- In Build Phases, add
libssl.aandlibcrypto.ato Link Binary With Libraries. - In Build Settings, add the headers folder to the Header Search Paths.
Check out RMStoreDemo as a reference.
To use RMStoreAppReceiptVerificator add the following files to your project from RMStore/Optional:
- RMAppReceipt.h
- RMAppReceipt.m
- RMStoreAppReceiptVerificator.h
- [RMStoreAppReceiptVerificator.m]((https://github.com/robotmedia/RMStore/blob/master/RMStore/Optional/RMStoreAppReceiptVerificator.m)
To verify the app receipt RMStoreAppReceiptVerificator checks the bundle identifier and bundle version compared within. Given that it is possible to modify the app bundle in jailbroken devices, you can provide hardcoded values for the comparison. For example:
_receiptVerificator.bundleIdentifier = @"net.robotmedia.test";
_receiptVerificator.bundleVersion = @"1.0";##RMStoreTransactionReceiptVerificator
RMStoreTransactionReceiptVerificator is the reference implementation for transaction receipt verification in iOS 6 or lower. It gets a receipt from [SKPaymentTransaction transactionReceipt] and then validates it against Apple's server. This method has been deprecated in iOS 7, and as such the verificator itself is deprecated.
To use RMStoreTransactionReceiptVerificator add the following files to your project from RMStore/Optional:
- RMStoreTransactionReceiptVerificator.h
- [RMStoreTransactionReceiptVerificator.m]((https://github.com/robotmedia/RMStore/blob/master/RMStore/Optional/RMStoreTransactionReceiptVerificator.m)
#Custom verification
RMStore delegates receipt verification, enabling you to provide your own implementation using the RMStoreReceiptVerificator protocol:
- (void)verifyTransaction:(SKPaymentTransaction*)transaction
success:(void (^)())successBlock
failure:(void (^)(NSError *error))failureBlock;Call successBlock if the receipt passes verification, and failureBlock in any other case.
No matter if you use a custom or reference verificator, you will need to set it at startup. For example:
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
const BOOL iOS7OrHigher = floor(NSFoundationVersionNumber) > NSFoundationVersionNumber_iOS_6_1;
_receiptVerificator = iOS7OrHigher ? [[RMStoreAppReceiptVerificator alloc] init] : [[RMStoreTransactionReceiptVerificator alloc] init];
[RMStore defaultStore].receiptVerificator = _receiptVerificator;
// Your code
return YES;
}Bear in mind that receiptVerificator is a weak property. In the above example the app delegate is responsible of retaining the verificator.
There is a known vulnerability in iOS 5.1 or lower related to app-side receipt verification. RMStore does not address this vulnerability. If you are using RMStoreTransactionReceiptVerificator in iOS 5.x, please read this technical note.