App Store Connect Shared Secret

Question

Created Aug ’20

Replies 2

Boosts 0

Views 5k

Participants 2

Hi,

We are an organisation with 40 developers working on iOS apps. Our apps contain In-App Purchases. We are using server-side validation to validate purchase receipts. This requires using a shared secret (https://developer.apple.com/documentation/appstorereceipts/requestbody).

We have a test environment which all of our developers have full access to. We would like to validate receipts in the test environment and therefore it would contain the app's shared secret. We are wondering if it would be acceptable to give all 40 of our developers read-access to this shared secret. As far as I can tell, this secret is only used for:

Validating receipts using the verifyReceipt API
Verifying webhook notifications

If this is the case, I personally can see no problem with all of our developers having read-access to the shared secret.

It would be great to get an opinion from someone with more insight, or even better an official response from Apple.

Thanks,
Alex

Boost

Answer 1

PBK OP

Aug ’20

It would be great to get an opinion from .... an official response from Apple.

not possible one this forum.

A secret is only needed for autorenewable subscriptions. The secret is only good for validating the receipt so there is little problem with sharing it with your trusted employees. But the secret could be used to hack the receipt validation process so there is a little concern if one of your employees is driven to hack your system.

1

Answer 2

AlexCheema OP

Aug ’20

Thanks a lot for the response PBK.

Regarding your first point, do you know if there is any way to get an official response from Apple on matters such as this one? We would like to be completely sure on our decision here, given the sensitive nature / potential for abuse of in app purchases.

But the secret could be used to hack the receipt validation process

How would such a hack work? If the secret is only good for validating the receipt, then I assume the most the attacker could do is validate receipts on our behalf? Perhaps the attacker could send a large number of requests to Apple's API using our secret, leading Apple to rate-limit or cut-off our API access?

Many thanks,
Alex

0