Authentication before purchase

In what circumstances does iOS require a user to authenticate with their Apple ID prior to making in in-app purchase?


For context, this is my scenario:


My app will offer consumable in-app purchases to a currently logged in user. The quantity of the purchase will be associated with their username and stored on a server I will be running. The username may be associated with multiple devices, and multiple usernames may be associated with the same device.


From searching the forums, I have been led to believe that there is no way to find the Apple ID for the App Store that is currently signed in on a device; otherwise I would just require each unique user to use their own Apple ID. The crux of the question is: will I be safe in assuming that any user who makes an in-app purchase on a particular device had the authority to use the Apple ID with which the purchase was made?


Thanks for your time.

Replies

>will I be safe in assuming that any user who makes an in-app purchase on a particular device had the authority to use the Apple ID with which the purchase was made?


Yes.

Well, that's encouraging, but could you (or someone) justify that statement?

By default, anyone signed in on a given device is assumed to have authority to use those credentials. As long as the credentials are valid, the login will succeed.


Once logged in, however, that apple ID is used for purchases according to user configuration (and/or parental controls) in Settings:


See https://support.apple.com/en-us/HT204030

You have two password options to choose from with paid and in-app purchases:

  • Always Require: When you make a purchase, you'll always be asked to enter your password, even if you're signed in with your Apple ID.
  • Require After 15 Minutes: When you make a purchase, you'll be asked to enter your password only every 15 minutes.


Otherwise, there is no challenge scheme to blind test authority vs. credentials used, thus the assumption that by default, if the person inputting those credentials succeeds, they possess the authority to use them.


I doubt you care about those user-facing details, tho, so... if you're actually asking how to thwart pirates, server-side, that's another topic...feel free to search here on past threads. Otherwise, you are safe in your assumption.

>will I be safe in assuming that any user who makes an in-app purchase on a particular device had the authority to use the Apple ID with which the purchase was made?


What exactly is your concern here? Is it getting your 70% associated with an IAP? If so, Apple has that covered as best as is possible with any credit card transaction. They have on file the security code associated with the card (the 3 digit or 4 digit number). They do not accept a credit card into their system until the credit card issuer authorizes the use of that card by the person presenting themselves as the Apple ID user. But credit card scams could be creative and get past Apple - in which case Apple will grab back your 70%.


But if your question is whether Apple requires that you have authority to "use the Apple ID" to make an IAP then the answer is simply "yes" because "use the Apple ID" means little more than "make an IAP". Therefore, if you can make an IAP then you are, in fact, using the Apple ID. Apple only allows you to use the Apple ID if they believe you are authorized to use the Apple ID.


Now, if you are trying to secure something beyond 70% of the IAP price (for example HIPA or otherwise classified information) then whether or not you are authorized to use an Apple ID is not sufficient. So in this case your question would need to be rephrased.

This app is a game that kids might play with their friends. The scenario I am trying to avoid is where one kid, who is signed into the device with an Apple ID they do have permission to pay with, logs out of their game account (but not their Apple ID) and passes the game off to a friend who logs in with their own game account, but then makes an in-app purchase with the Apple ID of the first kid.


In the case a password is required for the Apple ID every time, this is no problem; if they have set it to only require every 15 minutes, it might be. I guess I can mitigate this by tracking the time since the last in-app purchase, and if a game user logs out less than 15 minutes since that time, warn them to be sure their Apple ID isn't misused.


Thanks for your replies, you all.

You would be warning the wrong person.

Perhaps you are really concerned about a different issue that has not been asked or answered above. You may be assigning the credit for a consumable IAP to an account on your server rather than to the device and worried that the credit will be going to the wrong account on your server. The usual approach is to ask the purchaser, when they make the purchase, to which account they want to upload the IAP credits. Then it is the current user who is actively and knowingly stealing from the previous user and that becomes a direct matter between those two individuals. Your concern is admirable but ultimately outside your ability to control.

While this won't address your immediate problem, you might also want to implement using applicationUsername to prevent this problem from becoming widespread.


https://developer.apple.com/documentation/storekit/skpayment/1506116-applicationusername?language=objc