How can I verify that server-to-server notification comes from Apple, and not from third-party malefactor?
Maybe we could get some IP-ranges, from which Apple send notifications?
Or maybe we should make request to AppStore to get info by receipt from notification, and compare it with json?
Or maybe it possible to exchange keys? or use existed keys to verify source of request?
Is there any best practices?
Thank you.
Anna
You raise a good question. However, rather than base support for the auto-renewing subscription on the server-to-server notification, have the app send the base64 encoded appStoreReceipt to your server and validate the receipt yourself. The appStoreReceipt is signed by Apple. If the iTunes Store verifyReceipt server validates the receipt, the receipt was provided by Apple.
More importantly, normal auto-renewing subscription renewals, can best be detected using receipt validation and reviewing the latest_receipt_info section. Also, if the user decides to let the auto-renewing subscription expire at the end of the current subscription period, the only way to detect this is via receipt validation.
rich kubota - rkubota@apple.com
developer technical support CoreOS/Hardware/MFI
@rich How can we verify that Apple is sending a particular JSON payload, and not a 3rd party?