I am new in local receipt validation and learnt that the common way is using OpenSSL, what is also suggested by Apple. But is there also a path to use the new CryptoKIT or CommonCrypto to do local receipt validation? Has someone experience with this?
That is not recommended. Since these are system libraries, they are linked to your app dynamically. They would be easy to swap out with stubs that would make your app think that a receipt is valid. If you link statically with OpenSSL, this is much more difficult to do, althrough still possible.
@johndaniel I was under the impression that, because CryptoKit is a system library, it actually avoids that issue? Despite being dynamically linked, wouldn't the fact that it is integral to the OS mean that for an attacker to swap it out, the OS itself would need to be compromised? Or am I over-extrapolating? I'm trying to wrap my head around all this - so forgive my ignorance.Since these are system libraries, they are linked to your app dynamically. They would be easy to swap out with stubs that would make your app think that a receipt is valid.
