ios - In-App Purchase Receipt Validation Contradiction -


apple offers 2 documents receipt validation, apparently contradictory statements.

in "verifying store receipts":

note: on ios, contents , format of store receipt private , subject change. your application should not attempt parse receipt data directly.

yet, in "in-app purchase receipt validation on ios" sample code provided in store receipt parsed , verified, part of "mitigation strategy" security vulnerability:

// check validity of receipt.  if checks out ensure transaction // haven't seen before , decode , save purchaseinfo receipt later receipt validation. - (bool)istransactionanditsreceiptvalid:(skpaymenttransaction *)transaction {     if (!(transaction && transaction.transactionreceipt && [transaction.transactionreceipt length] > 0))     {         // transaction not valid.         return no;     }      // pull purchase-info out of transaction receipt, decode it, , save later     // can cross checked verifyreceipt.     nsdictionary *receiptdict       = [self dictionaryfromplistdata:transaction.transactionreceipt];     nsstring *transactionpurchaseinfo = [receiptdict objectforkey:@"purchase-info"];     nsstring *decodedpurchaseinfo   = [self decodebase64:transactionpurchaseinfo length:nil];     nsdictionary *purchaseinfodict  = [self dictionaryfromplistdata:[decodedpurchaseinfo datausingencoding:nsutf8stringencoding]];      nsstring *transactionid         = [purchaseinfodict objectforkey:@"transaction-id"];     nsstring *purchasedatestring    = [purchaseinfodict objectforkey:@"purchase-date"];     nsstring *signature             = [receiptdict objectforkey:@"signature"];      // convert string date     nsdateformatter *dateformat = [[nsdateformatter alloc] init];     [dateformat setdateformat:@"yyyy-mm-dd hh:mm:ss z"];      nsdate *purchasedate = [dateformat datefromstring:[purchasedatestring stringbyreplacingoccurrencesofstring:@"etc/" withstring:@""]];       if (![self istransactionidunique:transactionid])     {         // we've seen transaction before.         // had [transactionsreceiptstoragedictionary objectforkey:transactionid]         // got purchaseinfodict         return no;     }      // check authenticity of receipt response/signature etc.      bool result = checkreceiptsecurity(transactionpurchaseinfo, signature,                                        (__bridge cfdateref)(purchasedate));      if (!result)     {         return no;     }      // ensure transaction legit     if (![self dotransactiondetailsmatchpurchaseinfo:transaction withpurchaseinfo:purchaseinfodict])     {         return no;     }      // make note of fact we've seen transaction id     [self savetransactionid:transactionid];      // save transaction receipt's purchaseinfo in transactionsreceiptstoragedictionary.     [transactionsreceiptstoragedictionary setobject:purchaseinfodict forkey:transactionid];      return yes; }

if understand correctly, if verify receipt app stop working when apple decides change format of receipt.

and if don't verify receipt, i'm not following apple's "mitigation strategy" , app vulnerable attacks.

damned if do, damned if don't. there i'm missing?

they heavily recommend use own server intermediary validation, allow clear , secure passage app store versions of ios. that's best route not damned either way.

if must perform validation directly device app store, utilise mitigation strategy only when application run on 5.1.x , below. ios6 , above, use recommended means provided.

whilst case shouldn't parse receipt directly, discovered vulnerability put apple between rock , hard place in how address this, , decided application developers implement check. means when user updates application, receipts secured again (irrespective of ios version), thereby providing better fix coverage. side effect, means have break how should (but apple have give permission so).

i agree documentation isn't wholly clear on this, , clarified bit more (you should give them feedback documentation pages @ bottom). apple have published mitigation strategy, , state should used on ios 5.1.x , below address vulnerability. onus on them if change format/contents of iap receipts.


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

css - Firefox for ubuntu renders wrong colors -

Image
i've got following problem: i'm developing website, while testing around i've noticed firefox , chromium display css bar in different colors. when switched between several machine come conclusion firefox ubuntu problem. on other devices i've tested website. it's fine. the differences between chrome , firefox rendering: firefox: chromium: note: firefox ubuntu problem. does knows why , came solution? https://bugzilla.mozilla.org/show_bug.cgi?id=655637 bug 629312 - firefox displays wrong colors on image (only linux) open about:config , rechange gfx.color_management.mode 2 0.
Read more