Do you need help on a specific subject? Use the contact form (Request a blog entry) on the right hand side.


OSX Receipt validation in Swift, part 1: Introduction

There is precious little information in the way of examples on how to implement receipt validation for an OS-X project in Swift. In this series of blog posts I will do exactly that: show by example how receipt validation and verification can be done in Swift, for an OSX-Application.

First I must add a disclaimer: I am no crypto expert. In fact the whole subject baffles me!

So I took a shortcut and converted the only Objective-C example code out there that I could find (see: to Swift. So no revolutionary new SW, just an adaptation of existing stuff. Btw: I am a user of the Receigen app (an app that creates obfuscated receipt validation for your app) which was written by the writer of the referenced article. Very useful to avoid writing your own receipt validation.

This series of articles will investigate how to implement receipt validation in a non-obfuscated way. When we do that, a series of problems will arise. Each of these problems is presented in its own post:
  1. How to add openSSL to your project
  2. How to add the Apple Root Certificate to your project
  3. How to access the members of a C-union in Swift
  4. How to read the device GUID
  5. Show example code on how to do the receipt validation and verification
  6. How to test receipt validation and verification
  7. How to use Receigen with Swift
  8. A few thoughts about receipt verification obfuscation
Item 7 might surprise you. Why on earth would I go through the effort of creating a Swift solution, and then use Receigen instead? The reason is simple... obfuscation.
You should NOT USE the example code. Using that code is an extremely insecure way to protect your handiwork (App). Any hacker worth its money will break it in less than a few minutes. That is because I put no effort at all into obfuscation. I only wanted to understand how to implement receipt validation & verification. And for that the code is fine. It is just not obfuscated.

If you want to use my code and add your own obfuscation to it, please be my guest. But for the price of Receigen I cannot possibly add something as effective as Receigen. If you do the obfuscation yourself, please keep in mind that the final call to start your app should be obfuscated as well!

Enjoy the series

Did this help?, then please help out a small independent.
If you decide that you want to make a small donation, you can do so by clicking this
link: a cup of coffee ($2) or use the popup on the right hand side for different amounts.
Payments will be processed by PayPal, receiver will be sales at balancingrock dot nl
Bitcoins will be gladly accepted at: 1GacSREBxPy1yskLMc9de2nofNv2SNdwqH

We don't get the world we wish for... we get the world we pay for.

No comments:

Post a Comment