This is a blog post by site administrator Ray Wenderlich, an independent software developer and gamer. A while back on the weekly tutorial poll on the sidebar, you guys voted for a tutorial on In-App Purchases: consumables and receipt validation. As always, your wish is my command! :] This tutorial picks up where we left […]
I’m using the VerificationController provided by Raywenderlich in several of my apps, and it’s been fantastic. Totally reliable, easy to implement, and effective. It’s been live in three of my apps for several months each.
However, two days ago, all three apps suddenly stopped working properly. Every purchase is now being flagged as invalid without exception, both for my live users and for my own test accounts. I’ve made no changes to the apps or their backends, in fact I’ve been moving apartments so I literally haven’t touched them in a week or more. The change was instantaneous across all three apps, and I’ve understandably started getting complaints.
The problem seems to be in the checkReceiptSecurity() function (it’s always returning NO when it needs to return YES for valid transactions), but the code inside that function is beyond my ability to comprehend. I’m hoping someone has encountered something like this, or perhaps is even experiencing it now, and knows a solution?
As far as I can tell, it seems to be happening on the second of these lines (VerificationController.m line 158).
require(signature_length > offsetof(struct signature_blob, certificate), outLabel);
require(signature_blob_ptr->version == 2, outLabel);
certificate_len = ntohl(signature_blob_ptr->cert_len);
Which are helpfully commented as “Make sure the signature blob is long enough to safely extract the version and cert_len fields, then perform a sanity check on the fields.” When it hits the signature_blob_ptr line, it suddenly jumps to the end of the function, which I assume means that it didn’t pass some sort of check.
Can anyone shed any light on what is happening? This is obviously devastating to my app portfolio, and I need to fix it immediately. I’ll disable the verification temporarily and release an update if I have to, but I’d like to find a fix for whatever has changed…
Apple just did this intentionally – that code, VerificationController.m is no longer supposed to work.
Read the details here: https://forums.developer.apple.com/message/138487#138487
I am totally screwed by this too.
Hi,
I had an approved yesterday which uses the receipt validation code.
Have been doing some sandbox testing today (10th Jun 2016) and found that receipts no longer verify which means users won’t be able to unlock functionality. 
Seems as though this is an issue in production as well as sandbox (as has been mentioned above). @nerrolken or @xaphod, what approach did you take to resolving this?
Did you just remove verification and issue a quick update or come up with a more comprehensive solution?
Would be great to hear how you (or others) dealt with this.
I removed receipt validation entirely. I am not worried about a few hackers getting my apps for free (if it is even still possible - AFAIK it was just for iOS 5/earlier)
The code in this tutorial uses deprecated APIs that were deprecated many years ago. Cant use it.
Hello @xaphod,
Could you please explained how you skipped receipt validation based on this tutorial ?
Is it safe regarding security ?
Hoping for answers,
Best regards,
David
This tutorial is more than six months old so questions are no longer supported at the moment for it. We will update it as soon as possible. Thank you! :]