3 Replies
      Latest reply on Nov 7, 2017 12:49 AM by eskimo
      houmie Level 1 Level 1 (0 points)

        I have implemented a subscription IAP for my VPN app.  But since the VPN profile is stored on the iOS device itself, theoretically the user could just turn on the VPN from the settings, without having to open the app.

         

        This is a problem for users that have stopped paying the subscription. How can I prevent them from using the VPN from the back door?

         

        Many Thanks,

        • Re: How do I disable personal VPN if IAP subs has stopped?
          eskimo Apple Staff Apple Staff (13,045 points)

          [I’m presuming your using Personal VPN (NEVPNManager) and not a custom VPN transport (a Network Extension provider).]

          How can I prevent them from using the VPN from the back door?

          Your best option here is to enforce this on the server.  Even if Personal VPN has some sort of expiry date property, it would still be possible for the user to extract the VPN configuration and then manually configure the VPN using the same details.  Enforcing this on the server avoids all of these problems.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: How do I disable personal VPN if IAP subs has stopped?
              houmie Level 1 Level 1 (0 points)

              Thank you for your reply.  Your assumption is correct I meant an app based on NEVPNManager. It is an interesting idea to request a short-lived token from the server that can only be refreshed from the app. Without that the server would reject the connection.

               

              Is there a way to hide the VPN configuration details? e.g. exposing the server IP address is not great to expose either.

               

              Thank you

                • Re: How do I disable personal VPN if IAP subs has stopped?
                  eskimo Apple Staff Apple Staff (13,045 points)

                  Is there a way to hide the VPN configuration details?

                  No.

                  exposing the server IP address is not great to expose either.

                  I wouldn’t worry about that.  Anyone can work out the IP address of your VPN server by looking at a packet trace.

                  Instead I recommend that you focus on securing your system via user-specific credentials.  That’s the best way to prevent folks from stealing your service because:

                  • Credential expiry is controlled by your VPN server

                  • It discourages a user from sharing their credential because it’s tied to them personally

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"