Sudden issues with IAP receipt validation

Is anyone else having problems with the IAP validation?


My app was working fine for the past year until this morning. All of a sudden, people are still able to purchase an in-app but the receipt validation seems to fail, so they are not getting their content.


Anyone else experiencing something similar?

Replies

Are you having problems with onboard decoding or with Apple server decoding? Are you having problems with the receipt stored with the app as a file or the one delivered as transaction.transactionReceipt?

This method seems to be the problem:


if (policy) CFRelease(policy);


Everything else seems to agree that the receipt is valid but this statement ...

Can you please provide a bit more detail as to what the release of and object has to do with the receipt validation process. Does your app self validate the applicationReceipt rather than using the iTunes Receipt Validation Server?


In addition, PBK's questions still remain unanswered.


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI

I am validating the receipts using the iOS6 and earlier method.


Could this be the reason? It was working fine until around 12 hours ago.


I am using the iTunes Receipt Validation Server and the verified information comes from transaction.transactionReceipt.

What is the status of the receipt validation process? Just to be clear, the app has been called via the updatedTransactions delegate method. It then takes the transaction.transactionReceipt data, base64 encodes the receipt data, forwards the data to your trusted server, which then forwards the receipt data to the Apple Receipt Validation server. Your trusted server receives the response - so what is the status?? Or is the process slightly different??


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI

methodThe process is slightly different because it goes straight to Apple's verification server and does not go to my own server.


The status that I am getting is that all checks show a valid receipt except for when this verification happens within the checkReceiptSecurity: if (policy) CFRelease(policy);


The validation process starts at:

- (void)completeTransaction:(SKPaymentTransaction *)transaction {

[self validateReceiptForTransaction:transaction];

[[SKPaymentQueue defaultQueue] finishTransaction:transaction];

}


- (void)restoreTransaction:(SKPaymentTransaction *)transaction {

[self validateReceiptForTransaction:transaction];

[[SKPaymentQueue defaultQueue] finishTransaction:transaction];

}

You would need to show the method "validateReceiptForTransaction:(SKTransaction *)transaction" in order for anyone to offer any help.

And, in addition, there is a much better way of deciding that transaction using verificationControllerPBKSimple. But you should realize that this is all deprecated and will bite you within the next few years - if not now. Convert to the newer methods.

Edit "deciding" = "decoding".

Having the same problem since we are probably using the same sample IAP verification code published in 2012. checkReceiptSecurity function fails since the version of the receipt/signature is now 3 (it must be 2 to pass the test). We opened a ticket 26321204 on bugreport.apple.com to get more info on this.

Great to hear that there is someone else with this problem. Yes, I think we are using the same code. Unfortunately, I cannot see the bug report you have filed ... Could you please keep me posted?

I've just heard from iTC that this is a known issue and intentional. The issue will affect any application which implemented the legacy iAP_ReceiptValidation code defined in the "VerificationController" class. The purpose of this code was to support iOS 5.1 and earlier iAP apps to address an underlying vulnerability in iOS 6. The VerificationController class was implemented and documented as a temporary receipt validation solution. It was never designed as a general purpose receipt validation solution.


For those that are interested in this legacy doc, I've placed a reference at the end of my response. The issue here is that solution locally validates the Apple signature that is a part of the transactionReceipt. This works so long at the same certificate is used to sign the transactionReceipt. Yesterday, May 16, 2016, the certificate was changed. The signature in the transactionReceipt now fails verification with the hardcoded signature built into the app.


The recommended solution had been to update the app for post iOS 5.1, to forward the base64 encoded receipt to a trusted server for processing with the Apple Receipt Validation server. Many of you have noted that transactionReceipt has long since been marked as deprecated in favor of the applicationReceipt pointed to by

[[NSBundle mainBundle] appStoreReceiptURL].

To my knowledge, receipt validation of the transactionReceipt can still be performed.


The solution for those apps experiencing this issue is to follow the guidelines presented in the Receipt Validation Program Guide

<https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Introduction.html#//apple_ref/doc/uid/TP40010573-CH105-SW1>


The link to the legacy iAP Receipt Validation for iOS 5.1 and earlier doc -

<https://developer.apple.com/legacy/library/releasenotes/StoreKit/IAP_ReceiptValidation/index.html>


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI

Of course one other useful option would be to see if the previous certificate can be restored. I don't have an explanation as to why the certificate was changed - but at least you have an understanding as to the reason for the failure.


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI

Turns out that the certificate expired and it had to be updated.


rich kubota - rkubota@apple.com

developer technical support CoreOS/Hardware/MFI