First I must add a disclaimer: I am no crypto expert. In fact the whole subject baffles me!
So I took a shortcut and converted the only Objective-C example code out there that I could find (see: http://www.objc.io/issue-17/receipt-validation.html) to Swift. So no revolutionary new SW, just an adaptation of existing stuff. Btw: I am a user of the Receigen app (an app that creates obfuscated receipt validation for your app) which was written by the writer of the referenced article. Very useful to avoid writing your own receipt validation.
This series of articles will investigate how to implement receipt validation in a non-obfuscated way. When we do that, a series of problems will arise. Each of these problems is presented in its own post:
- How to add openSSL to your project
- How to add the Apple Root Certificate to your project
- How to access the members of a C-union in Swift
- How to read the device GUID
- Show example code on how to do the receipt validation and verification
- How to test receipt validation and verification
- How to use Receigen with Swift
- A few thoughts about receipt verification obfuscation
Item 7 might surprise you. Why on earth would I go through the effort of creating a Swift solution, and then use Receigen instead? The reason is simple... obfuscation.
You should NOT USE the example code. Using that code is an extremely insecure way to protect your handiwork (App). Any hacker worth its money will break it in less than a few minutes. That is because I put no effort at all into obfuscation. I only wanted to understand how to implement receipt validation & verification. And for that the code is fine. It is just not obfuscated.
If you want to use my code and add your own obfuscation to it, please be my guest. But for the price of Receigen I cannot possibly add something as effective as Receigen. If you do the obfuscation yourself, please keep in mind that the final call to start your app should be obfuscated as well!
Enjoy the series
Part 2: Adding openSSL to your project
Did this help?, then please help out a small independent.
If you decide that you want to make a small donation, you can do so by clicking this
link: a cup of coffee ($2) or use the popup on the right hand side for different amounts.
Payments will be processed by PayPal, receiver will be sales at balancingrock dot nl
Bitcoins will be gladly accepted at: 1GacSREBxPy1yskLMc9de2nofNv2SNdwqH
We don't get the world we wish for... we get the world we pay for.