Receipt verification

RMStore doesn't perform receipt verification by default but provides reference implementations. You can implement your own custom verification or use the reference verificators provided by the library.

#Reference verificators

RMStore provides receipt verification via RMStoreAppReceiptVerificator (for iOS 7 or higher) and RMStoreTransactionReceiptVerificator (for iOS 6 or lower).

Neither is intended as a fail-proof solution and, if security is a real concern, you might want to avoid using an open source implementation for your receipt verification code. That said, the reference verificators should provide a good starting point for your own implementation.

##RMStoreAppReceiptVerificator

RMStoreAppReceiptVerificator is the reference implementation for local app receipt verification in iOS 7. It uses OpenSSL to extract the receipt in ASN1 from the PKCS #7 container and then parse the ASN1 data into an object.

Adding OpenSSL

OpenSSL is a well-known C cryptography library. Unfortunately there are no official builds for iOS.

RMStore includes binaries and headers for the latest OpenSSL version at the time of writing RMStoreAppReceiptVerificator. However, you might want to build OpenSSL yourself. See https://github.com/x2on/OpenSSL-for-iPhone for a build script.

After building OpenSSL you will need to add it as a static library:

1. In Build Phases, add libssl.a and libcrypto.a to Link Binary With Libraries.
2. In Build Settings, add the headers folder to the Header Search Paths.

Check out RMStoreDemo as a reference.

Adding the Root Certificate

Receipts are signed with the Apple Inc. Root Certificate. In order to verify the receipt signature, you need to include it in your app. The certificate can be downloaded from the Apple Root Certificate Authority.

By default, RMAppReceipt will expect the certificate to be a resource named AppleIncRootCertificate.cer. You can also set a custom url:

[RMAppReceipt setAppleRootCertificateURL:myCustomURL];

If no certificate is found, no signature verification will be performed. RMStoreAppReceiptVerificator will still verify that the receipt corresponds to your app, version and has a valid hash.

Required files

To use RMStoreAppReceiptVerificator add the following files to your project from RMStore/Optional:

• RMAppReceipt.h
• RMAppReceipt.m
• RMStoreAppReceiptVerificator.h
• [RMStoreAppReceiptVerificator.m]((https://github.com/robotmedia/RMStore/blob/master/RMStore/Optional/RMStoreAppReceiptVerificator.m)

Configuration

To verify the app receipt RMStoreAppReceiptVerificator checks the bundle identifier and bundle version compared within. Given that it is possible to modify the app bundle in jailbroken devices, you can provide hardcoded values for the comparison. For example:

_receiptVerificator.bundleIdentifier = @"net.robotmedia.test";
_receiptVerificator.bundleVersion = @"1.0";

##RMStoreTransactionReceiptVerificator

RMStoreTransactionReceiptVerificator is the reference implementation for transaction receipt verification in iOS 6 or lower. It gets a receipt from [SKPaymentTransaction transactionReceipt] and then validates it against Apple's server. This method has been deprecated in iOS 7, and as such the verificator itself is deprecated.

Required files

To use RMStoreTransactionReceiptVerificator add the following files to your project from RMStore/Optional:

• RMStoreTransactionReceiptVerificator.h
• [RMStoreTransactionReceiptVerificator.m]((https://github.com/robotmedia/RMStore/blob/master/RMStore/Optional/RMStoreTransactionReceiptVerificator.m)

#Custom verification

RMStore delegates receipt verification, enabling you to provide your own implementation using the RMStoreReceiptVerificator protocol:

- (void)verifyTransaction:(SKPaymentTransaction*)transaction
                           success:(void (^)())successBlock
                           failure:(void (^)(NSError *error))failureBlock;

Call successBlock if the receipt passes verification, and failureBlock in any other case. If verification could not be completed (e.g., due to connection issues), then error must be of code RMStoreErrorCodeUnableToCompleteVerification to prevent RMStore to finish the transaction.

Setting the verificator

No matter if you use a custom or reference verificator, you will need to set it at startup. For example:

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
    const BOOL iOS7OrHigher = floor(NSFoundationVersionNumber) > NSFoundationVersionNumber_iOS_6_1;
    _receiptVerificator = iOS7OrHigher ? [[RMStoreAppReceiptVerificator alloc] init] : [[RMStoreTransactionReceiptVerificator alloc] init];
    [RMStore defaultStore].receiptVerificator = _receiptVerificator;
    // Your code
    return YES;
}

Bear in mind that receiptVerificator is a weak property. In the above example the app delegate is responsible of retaining the verificator.

For iOS 5.x

There is a known vulnerability in iOS 5.1 or lower related to app-side receipt verification. RMStore does not address this vulnerability. If you are using RMStoreTransactionReceiptVerificator in iOS 5.x, please read this technical note.