8 Replies
      Latest reply on Jul 14, 2019 6:57 AM by PBK
      rsood@snowbladesoftware Level 1 Level 1 (0 points)

        In what circumstances does iOS require a user to authenticate with their Apple ID prior to making in in-app purchase?

         

        For context, this is my scenario:

         

        My app will offer consumable in-app purchases to a currently logged in user.  The quantity of the purchase will be associated with their username and stored on a server I will be running.  The username may be associated with multiple devices, and multiple usernames may be associated with the same device.

         

        From searching the forums, I have been led to believe that there is no way to find the Apple ID for the App Store that is currently signed in on a device; otherwise I would just require each unique user to use their own Apple ID.  The crux of the question is:  will I be safe in assuming that any user who makes an in-app purchase on a particular device had the authority to use the Apple ID with which the purchase was made?

         

        Thanks for your time.

        • Re: Authentication before purchase
          PBK Level 7 Level 7 (3,155 points)

          >will I be safe in assuming that any user who makes an in-app purchase on a particular device had the authority to use the Apple ID with which the purchase was made?

           

          Yes.

            • Re: Authentication before purchase
              rsood@snowbladesoftware Level 1 Level 1 (0 points)

              Well, that's encouraging, but could you (or someone) justify that statement?

              • Re: Authentication before purchase
                PBK Level 7 Level 7 (3,155 points)

                >will I be safe in assuming that any user who makes an in-app purchase on a particular device had the authority to use the Apple ID with which the purchase was made?

                 

                What exactly is your concern here?  Is it getting your 70% associated with an IAP?  If so, Apple has that covered as best as is possible with any credit card transaction.  They have on file the security code associated with the card (the 3 digit or 4 digit number).   They do not accept a credit card into their system until the credit card issuer authorizes the use of that card by the person presenting themselves as the Apple ID user.  But credit card scams could be creative and get past Apple - in which case Apple will grab back your 70%.

                 

                But if your question is whether Apple requires that you have authority to "use the Apple ID" to make an IAP then the answer is simply "yes" because "use the Apple ID" means little more than "make an IAP".  Therefore, if you can make an IAP then you are, in fact, using the Apple ID.  Apple only allows you to use the Apple ID if they believe you are authorized to use the Apple ID.

                 

                Now, if you are trying to secure something beyond 70% of the IAP price (for example HIPA or otherwise classified information) then whether or not you are authorized to use an Apple ID is not sufficient.   So in this case your question would need to be rephrased.

              • Re: Authentication before purchase
                KMT Level 9 Level 9 (14,355 points)

                By default, anyone signed in on a given device is assumed to have authority to use those credentials. As long as the credentials are valid, the login will succeed.

                 

                Once logged in, however, that apple ID is used for purchases according to user configuration (and/or parental controls) in Settings:

                 

                See https://support.apple.com/en-us/HT204030

                You have two password options to choose from with paid and in-app purchases:

                • Always Require: When you make a purchase, you'll always be asked to enter your password, even if you're signed in with your Apple ID.
                • Require After 15 Minutes: When you make a purchase, you'll be asked to enter your password only every 15 minutes.

                 

                Otherwise, there is no challenge scheme to blind test authority vs. credentials used, thus the assumption that by default, if the person inputting those credentials succeeds, they possess the authority to use them.

                 

                I doubt you care about those user-facing details, tho, so... if you're actually asking how to thwart pirates, server-side, that's another topic...feel free to search here on past threads. Otherwise, you are safe in your assumption.

                • Re: Authentication before purchase
                  rsood@snowbladesoftware Level 1 Level 1 (0 points)

                  This app is a game that kids might play with their friends.  The scenario I am trying to avoid is where one kid, who is signed into the device with an Apple ID they do have permission to pay with, logs out of their game account (but not their Apple ID) and passes the game off to a friend who logs in with their own game account, but then makes an in-app purchase with the Apple ID of the first kid.

                   

                  In the case a password is required for the Apple ID every time, this is no problem; if they have set it to only require every 15 minutes, it might be.  I guess I can mitigate this by tracking the time since the last in-app purchase, and if a game user logs out less than 15 minutes since that time, warn them to be sure their Apple ID isn't misused.

                   

                  Thanks for your replies, you all.