It is confusing that the receipt's ASN.1 "App Version" field contains CFBundleVersion, aka "build version". Apple's receipt validation guide states that this value should be verified. This raises two questions:
First, why verify App Version? If user purchased IAP from a different app version, in most cases won't we expect that IAP to still be valid?
Second, isn't "build version", which is not guaranteed to be unique across app versions, the wrong value to be verifying?