My first post.
Im listening for statusUpdateNotifications and receiving them, but whats to stop anyone from posting to that URL?
I know the receipt data could be re-verified, but if there a way to verify that its coming from apple?
I get that some think the password should not be sent, but could a hash of it be there.
I notice a unique_identifier field, could that be it?
Documentation says password should be there, but its not.
regardless, how to you verify that this payload is from apple?
Thx!
1) the notification contains a receipt. You can send the receipt to the Apple servers to get the latest information. You can check that receipt for the correct value of web_order_line_item_id. But actually, the only way to be really secure is to have the app decode the receipt and verify that it is signed with the correct value of identifierForVendor. All other techniques can be hacked (IMHO) since they have no device-specific identifiers.
2) I am not familiar with ATS but I think the better answer to your question lies in examining the signing certificate in the transmition based on this:
Security Requirements
Before sending a notification, the App Store tries to establish a secure network connection with your server by using App Transport Security (ATS) protocols. To learn more about ATS requirements, see “Requirements for Connecting Using ATS”. If a secure connection cannot be established, notifications will not be sent to your server. For more about security, see https://developer.apple.com/security/.
