Sandbox Verify Receipt Not Using the Shared Secret

Question

I am attempting to validate a receipt in the sandbox environment (https://sandbox.itunes.apple.com/verifyReceipt). The response looks successful and it is showing me the LatestReceiptInfo and any InApp transactions.

The part that is confusing me is that I am able to do it with an invalid secret as well. I am even able to verify with a receipt that was generated from a very different app. It appears as if validation is ignoring the shared secret entirely.

I would expect a status code of 21003 for the valid receipt that wasn't created by my app. I would also expect a 21004 for the invalid secret. In both cases I get a status code of 0 and the receipt is available.

There is something that I am not understanding about how verification works. Is this expected behavior for the sandbox?

Below is the response body that i am sending to verify.

{ "receipt-data": "MyReceiptData", "password": "FakePassword", "exclude-old-transactions": true }

App Store

4.3k

Posted by

rkunboxed

Reply

Add a Comment

Answer 1

shared secret is only relevant if you are verifying a receipt that contains an autorenewable subscription.

and a valid receipt is a valid receipt whether it is from your app or not.

Posted by

PBK

Add a Comment

Answer 2

Our subscription is auto renewing, but I realized I was testing an example receipt that was not. I do get a 21004 when I do the broken PW on the auto-subscription.
On the validity of a receipt regardless of whether it came from my app. Is there a way to tell whether it came from my app? I worry that someone could determine the name of my product and then spoof a receipt with the same name. This could then grant them access to my app just by knowing the product name.
I could be missing something very simple.

Posted by

rkunboxed

Add a Comment

Answer 3

You need to inspect the returned parameters from the validation service. Double-check those parameters to ensure they came from the app they are supposed to come from (along with other criteria). You may need to add additional parameters to your own server so that you have something to compare against.

Posted by

john daniel

Add a Comment

Answer 4

> On the validity of a receipt regardless of whether it came from my app. Is there a way to tell whether it came from my app? I worry that someone could determine the name of my product and then spoof a receipt with the same name. This could then grant them access to my app (sic - you mean IAP) just by knowing the product name.

The only secure approach is to decode on the app itself using OpenSSL. That on board receipt will be signed with the user's identifierForVendor which will prove the receipt is for that device. This is secure.

Alternatively you can send the receipt in a signed package to your server and respond back to the device using a similarly signed package in order to avoid a man-in-the-middle attack. And then you can inspect the receipt for the correct productIdentifier. But you must also check to be sure the receipt is unique and not copied. You used to be able to check the transactionIdentifier . But the problem is that transactionIdentifiers are no longer are unique - they are duplicated in a restoreCompletedTransaction and in a repurchase-for-free. So you need to do something else. The purchase date fields will work for this purpose.

Posted by

PBK

Add a Comment

Answer 5

Okay, thank you.

Posted by

rkunboxed

Add a Comment

Answer 6

Does anyone ever provide any workable solid blocks of code here?? Cuz all this talking is literally not going to be useful to anyone. You either do it like in StackOverflow or just don't do it at all.

Posted by

ekashkin

Add a Comment

Sandbox Verify Receipt Not Using the Shared Secret

Replies