We have several apps live in the iOS store using code to validate the app receipt locally, using the techniques introduced with iOS 7 and documented here :
However I have noticed an alarming rate of failure of this code lately, up to the point that we're having trouble even passing App Store review in our last updates, since the code even fails for them. Basically, it looks like the initial receipts on app install/update are invalid, forcing us to refresh it explicitly (which is a bad user experience, forcing the user to enter their App Store login info). This in turn leads to a bad user experience, looking a lot like a bug to the App Review team, even with our own attempts to mitigate this.
Once the receipt is refreshed, the validation passes just fine, so it is likely not a problem with our validation code, but rather seems to be a problem with the way Apple installs the receipts upon app install or update. Maybe they changed something about the format for initial receipts, but if that is the case there has been no updates to the documentation since last year. Maybe there will be explanations about this at the current WWDC?
Has anybody else experienced something similar? In the past this seemed to be happening intermittently (rarely enough that this wasn't a problem with App Review). Lately this seems to have been failing much more consistently, and even happens on my own devices now. Even worse is that I don't see a way to test this properly as this is expected behavior in the developer sandbox. Validation works fine with a refreshed receipt in both testing and production environmens. It is just not supposed to happen in production, yet it does - and way too much.
We're seriously considering getting rid of receipt validation in our apps if Apple can't make it work properly - which is a shame as besides the piracy protection it really helped keeping track of the user's past purchases simply by inspecting the receipt, and thus avoiding the need to do a "restore purchase". It would be nice to be able to keep doing that, but if this just doesn't work at all out of the gate, then I'm afraid that it's not worth bothering with.