SlideShare a Scribd company logo

iOS In-App-Purchase verifying receipt locally in Swift

Kaz Yoshikawa
Kaz Yoshikawa

This slide guide you how to implement verifying receipts of In-App-Purchase in Swift. It does not cover how to write secure code.

Engineering
1 of 18
Download to read offline
Verifying In-App- Purchase Receipts Locally in Swift kaz.yoshikawa@gmail.com iOS Tokyo Meetup September 2019
About me
Kaz Yoshikawa • Electricwoods LLC / Digital Lynx Systems Inc. • e-mail: kyoshikawa@electricwoods.com • twitter: @codelynx1 • Working History • Adobe Systems (Tokyo) • Lionbridge (Tokyo) • Quark (Tokyo / Denver) • Hummingbird Communications (Mt. View, USA) • Fact International (Vancouver, Canada) • Perle Systems (Toronto, Canada), etc.
How to verify In-App-Purchase Receipts “Locally”? Show me the code.
Verifying receipts via server • There are many articles about how to verify receipt through your trusted server • iOSの月額課金レシート検証をサーバーサイドで行うときのTipsまとめ • iOS In-App Purchase実装で必ず知っておきたい隠れた罠 • Apple App Store Receipt Validation with Swift and Go • Validating in-app purchases in your iOS app • レシートのverifyとSandbox • 自動購読課金について【iOS編】
Verifying receipts locally • Very few articles available: • Suggestions like: • Use “ASN1C” to access ASN.1 format • Verify the receipt is signed by Apple • Use OpenSSL • They do not show any working code. • Hey ! show me the code.
Disclaimer • This presentation material is not for: • How to write secure code • How to prevent from code cracking • Discouraging to write less secure code
Steps to verify • Obtain Apple’s root certificate • Your app receive a receipt • Verify if the receipt is signed by Apple • Extract purchases from the receipt • Verify if a purchase is expired or cancelled • Unlock contents if necessary
Obtain Apple’s root certificate Apple Root Certificates Apple Inc. Root Certificate Apple Computer, Inc. Root Certificate Apple Root CA - G2 Root Certificate Apple Root CA - G3 Root Certificate Apple Intermediate Certificates Apple IST CA 2 - G1 Certficate Apple IST CA 4 - G1 Certficate Apple IST CA 5 - G1 Certficate Apple IST CA 8 - G1 Certficate Application Integration Certificate Application Integration 2 Certificate Application Integration - G3 Certificate Developer Authentication Certificate Developer ID Certificate Software Update Certificate Timestamp Certificate WWDR Certificate (Expiring 02/07/23) WWDR Certificate (Expiring 02/14/16) Worldwide Developer Relations - G2 Certificate Apple PKI Apple established the Apple PKI in support of the generation, issuance, distribution, revocation, administration, and management of public/private cryptographic keys that are contained in CA-signed X.509 Certificates. https://www.apple.com/certificateauthority/
Find hash (sha256) of the “AppleIncRootCertificate.cer” $ shasum -a 256 AppleIncRootCertificate.cer b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 AppleIncRootCertificate.cer Use this to ensure AppleIncRootCertificate.cer is genuine
Load the Root Certificate var appleIncRootCertificate: Data { if let url = Bundle.main.url(forResource: "AppleIncRootCertificate", withExtension: "cer"), let data = try? Data(contentsOf: url) { // make sure the certificate is not fake one let sha256 = Data(base64Encoded: "sLFzDsvH/0UFFCxJ8Slebtpryu1+LGjFvpG1oRAB8CQ=") if data.sha256 == sha256 { return data } } fatalError("error: failed to read the certificate.") } Check hash against hardcoded base64 hash value
Receiving receipts Bundle.main.appStoreReceiptURL if let url = Bundle.main.appStoreReceiptURL { do { let receiptData = try Data(contentsOf: url) // ... } catch { } }
Digging ASN1 Format
Check if it is signed by Apple let pkcs7 = try PKCS7(data: reciptData) let appleX509cert = try X509Certificate(data: self.appleIncRootCertificate) guard let appleKey = appleX509cert.publicKey?.key else { print("x509 public key not found."); return } print(appleKey as NSData) // check if one of these certificates is signed by apple let signedByApple: Bool = { print("certificates:") for certificate in pkcs7.certificates { if let signedKey = certificate.publicKey?.key { print(signedKey as NSData) if signedKey == appleKey { return true } } } return false }()
Check all purchases if let inAppPurchases = receipt.inAppPurchases { for purchase in inAppPurchases { guard let productIdentifier = purchase.productId else { continue } print(productIdentifier) print(purchase.purchaseDate ?? "n/a") print(purchase.originalPurchaseDate ?? "n/a") print(purchase.cancellationDate ?? "n/a") print(purchase.expiresDate ?? "n/a") // ... } } What to check is not covered by this presentation.
Recap
Qiita https://qiita.com/codelynx/items/a88805b47b7e40ef3782
Thank you kyoshikawa@electricwoods.com

Recommended

Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity ServerSign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
WSO2
 
Chris Wagner - Creating Apps with the iOS SDK
Chris Wagner - Creating Apps with the iOS SDKChris Wagner - Creating Apps with the iOS SDK
Chris Wagner - Creating Apps with the iOS SDK
Infusionsoft
 
How to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the CarrierHow to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the Carrier
CA API Management
 
Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS)
Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS) Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS)
Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS)
Pascal Jaillon
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
CA API Management
 
Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices
LivePerson
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
Ivo Jansch
 
Intuit QuickBooks Payments API
Intuit QuickBooks Payments APIIntuit QuickBooks Payments API
Intuit QuickBooks Payments API
Intuit Developer
 

Recommended

Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity ServerSign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
Sign In with Apple: A Zero Code Integration Approach Using WSO2 Identity Server
WSO2
 
Chris Wagner - Creating Apps with the iOS SDK
Chris Wagner - Creating Apps with the iOS SDKChris Wagner - Creating Apps with the iOS SDK
Chris Wagner - Creating Apps with the iOS SDK
Infusionsoft
 
How to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the CarrierHow to Build a Successful API Program: Best Practices For the Carrier
How to Build a Successful API Program: Best Practices For the Carrier
CA API Management
 
Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS)
Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS) Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS)
Magnet rest2mobile: Turn REST APIs into mobile SDKs (iOS, Android & JS)
Pascal Jaillon
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
CA API Management
 
Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices
LivePerson
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
Ivo Jansch
 
Intuit QuickBooks Payments API
Intuit QuickBooks Payments APIIntuit QuickBooks Payments API
Intuit QuickBooks Payments API
Intuit Developer
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open IdConSanFrancisco123
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
NETFest
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13
Saranyan Vigraham
 
Cloud Skills Challenge.pptx
Cloud Skills Challenge.pptxCloud Skills Challenge.pptx
Cloud Skills Challenge.pptx
Luis Beltran
 
Sencha Space review
Sencha Space reviewSencha Space review
Sencha Space review
Grgur Grisogono
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
CA API Management
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
CA API Management
 
Why Streethawk re-wrote ibeacon handling on Android
Why Streethawk re-wrote ibeacon handling on AndroidWhy Streethawk re-wrote ibeacon handling on Android
Why Streethawk re-wrote ibeacon handling on Android
David Jones
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
Mark Diodati
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
CA API Management
 
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays
 
Using IBM WebSphere Liberty and Swagger to Make your Services Accessible
Using IBM WebSphere Liberty and Swagger to Make your Services AccessibleUsing IBM WebSphere Liberty and Swagger to Make your Services Accessible
Using IBM WebSphere Liberty and Swagger to Make your Services Accessible
Arthur De Magalhaes
 
Mobile SDK + Cordova
Mobile SDK + CordovaMobile SDK + Cordova
Mobile SDK + CordovaJoshua Birk
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
kunwaratul hax0r
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
Microsoft 365 Developer
 

More Related Content

What's hot

TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
NETFest
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13
Saranyan Vigraham
 
Cloud Skills Challenge.pptx
Cloud Skills Challenge.pptxCloud Skills Challenge.pptx
Cloud Skills Challenge.pptx
Luis Beltran
 
Sencha Space review
Sencha Space reviewSencha Space review
Sencha Space review
Grgur Grisogono
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
CA API Management
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
CA API Management
 
Why Streethawk re-wrote ibeacon handling on Android
Why Streethawk re-wrote ibeacon handling on AndroidWhy Streethawk re-wrote ibeacon handling on Android
Why Streethawk re-wrote ibeacon handling on Android
David Jones
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
Mark Diodati
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
CA API Management
 
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays
 
Using IBM WebSphere Liberty and Swagger to Make your Services Accessible
Using IBM WebSphere Liberty and Swagger to Make your Services AccessibleUsing IBM WebSphere Liberty and Swagger to Make your Services Accessible
Using IBM WebSphere Liberty and Swagger to Make your Services Accessible
Arthur De Magalhaes
 
Mobile SDK + Cordova
Mobile SDK + CordovaMobile SDK + Cordova
Mobile SDK + CordovaJoshua Birk
 

What's hot (20)

Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSO
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 
Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13Architecting eCommerce APIs - Gluecon 13
Architecting eCommerce APIs - Gluecon 13
 
Cloud Skills Challenge.pptx
Cloud Skills Challenge.pptxCloud Skills Challenge.pptx
Cloud Skills Challenge.pptx
 
Sencha Space review
Sencha Space reviewSencha Space review
Sencha Space review
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
 
Why Streethawk re-wrote ibeacon handling on Android
Why Streethawk re-wrote ibeacon handling on AndroidWhy Streethawk re-wrote ibeacon handling on Android
Why Streethawk re-wrote ibeacon handling on Android
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
apidays LIVE Australia 2021 - API Horror Stories from an Unnamed Coworking Co...
 
Using IBM WebSphere Liberty and Swagger to Make your Services Accessible
Using IBM WebSphere Liberty and Swagger to Make your Services AccessibleUsing IBM WebSphere Liberty and Swagger to Make your Services Accessible
Using IBM WebSphere Liberty and Swagger to Make your Services Accessible
 
Mobile SDK + Cordova
Mobile SDK + CordovaMobile SDK + Cordova
Mobile SDK + Cordova
 

Similar to iOS In-App-Purchase verifying receipt locally in Swift

Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
kunwaratul hax0r
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
Microsoft 365 Developer
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS device
Madusha Perera
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 
Slide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate AuthoritySlide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate Authoritywebhostingguy
 
How Does Code Signing Works?
How Does Code Signing Works?How Does Code Signing Works?
How Does Code Signing Works?
AboutSSL
 
AWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoTAWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoT
Amazon Web Services
 
Swiftstart - Provisioning Basics
Swiftstart - Provisioning BasicsSwiftstart - Provisioning Basics
Swiftstart - Provisioning Basics
lacyrhoades
 
Nfc sfdc mobile_sdk
Nfc sfdc mobile_sdkNfc sfdc mobile_sdk
Nfc sfdc mobile_sdk
Cory Cowgill
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hours
Oursky
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hours
Jane Chung
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Combine Both Clicks and Code to Build Customizable Mobile Apps
Combine Both Clicks and Code to Build Customizable Mobile AppsCombine Both Clicks and Code to Build Customizable Mobile Apps
Combine Both Clicks and Code to Build Customizable Mobile Apps
Salesforce Developers
 
iOS Distribution and App store pushing and more
iOS Distribution and App store pushing and moreiOS Distribution and App store pushing and more
iOS Distribution and App store pushing and more
Naga Harish M
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
Brian Spector
 
Ticket To Ride from Elevate UK
Ticket To Ride from Elevate UKTicket To Ride from Elevate UK
Ticket To Ride from Elevate UK
Keir Bowden
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?
Kayra Obrain
 

Similar to iOS In-App-Purchase verifying receipt locally in Swift (20)

Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
iOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS deviceiOS Provisioning : Running your app in an iOS device
iOS Provisioning : Running your app in an iOS device
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 
Slide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate AuthoritySlide 1 - Authenticated Reseller SSL Certificate Authority
Slide 1 - Authenticated Reseller SSL Certificate Authority
 
How Does Code Signing Works?
How Does Code Signing Works?How Does Code Signing Works?
How Does Code Signing Works?
 
AWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoTAWS Summit Auckland- Developing Applications for IoT
AWS Summit Auckland- Developing Applications for IoT
 
Swiftstart - Provisioning Basics
Swiftstart - Provisioning BasicsSwiftstart - Provisioning Basics
Swiftstart - Provisioning Basics
 
Nfc sfdc mobile_sdk
Nfc sfdc mobile_sdkNfc sfdc mobile_sdk
Nfc sfdc mobile_sdk
 
NFC and the Salesforce Mobile SDK
NFC and the Salesforce Mobile SDKNFC and the Salesforce Mobile SDK
NFC and the Salesforce Mobile SDK
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hours
 
How to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hoursHow to build a Whatsapp clone in 2 hours
How to build a Whatsapp clone in 2 hours
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Combine Both Clicks and Code to Build Customizable Mobile Apps
Combine Both Clicks and Code to Build Customizable Mobile AppsCombine Both Clicks and Code to Build Customizable Mobile Apps
Combine Both Clicks and Code to Build Customizable Mobile Apps
 
iOS Distribution and App store pushing and more
iOS Distribution and App store pushing and moreiOS Distribution and App store pushing and more
iOS Distribution and App store pushing and more
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Ticket To Ride from Elevate UK
Ticket To Ride from Elevate UKTicket To Ride from Elevate UK
Ticket To Ride from Elevate UK
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?
 

More from Kaz Yoshikawa

e-Conte board Getting Started
e-Conte board Getting Startede-Conte board Getting Started
e-Conte board Getting Started
Kaz Yoshikawa
 
URLSession Reloaded
URLSession ReloadedURLSession Reloaded
URLSession Reloaded
Kaz Yoshikawa
 
Idioms in swift 2016 05c
Idioms in swift 2016 05cIdioms in swift 2016 05c
Idioms in swift 2016 05c
Kaz Yoshikawa
 
Extracting text from PDF (iOS)
Extracting text from PDF (iOS)Extracting text from PDF (iOS)
Extracting text from PDF (iOS)
Kaz Yoshikawa
 
Programming Complex Algorithm in Swift
Programming Complex Algorithm in SwiftProgramming Complex Algorithm in Swift
Programming Complex Algorithm in Swift
Kaz Yoshikawa
 
Functional Programming in Swift
Functional Programming in SwiftFunctional Programming in Swift
Functional Programming in SwiftKaz Yoshikawa
 
Programming Language Swift Overview
Programming Language Swift OverviewProgramming Language Swift Overview
Programming Language Swift Overview
Kaz Yoshikawa
 

More from Kaz Yoshikawa (8)

e-Conte board Getting Started
e-Conte board Getting Startede-Conte board Getting Started
e-Conte board Getting Started
 
URLSession Reloaded
URLSession ReloadedURLSession Reloaded
URLSession Reloaded
 
Idioms in swift 2016 05c
Idioms in swift 2016 05cIdioms in swift 2016 05c
Idioms in swift 2016 05c
 
Extracting text from PDF (iOS)
Extracting text from PDF (iOS)Extracting text from PDF (iOS)
Extracting text from PDF (iOS)
 
Programming Complex Algorithm in Swift
Programming Complex Algorithm in SwiftProgramming Complex Algorithm in Swift
Programming Complex Algorithm in Swift
 
Functional Programming in Swift
Functional Programming in SwiftFunctional Programming in Swift
Functional Programming in Swift
 
Programming Language Swift Overview
Programming Language Swift OverviewProgramming Language Swift Overview
Programming Language Swift Overview
 
Newsstand
NewsstandNewsstand
Newsstand
 

Recently uploaded

DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
Jayaprasanna4
 
ML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptxML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptx
Vijay Dialani, PhD
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdfGoverning Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
WENKENLI1
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
manasideore6
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
ongomchris
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 

Recently uploaded (20)

DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
 
ML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptxML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptx
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdfGoverning Equations for Fundamental Aerodynamics_Anderson2010.pdf
Governing Equations for Fundamental Aerodynamics_Anderson2010.pdf
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
Fundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptxFundamentals of Electric Drives and its applications.pptx
Fundamentals of Electric Drives and its applications.pptx
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 

iOS In-App-Purchase verifying receipt locally in Swift

  • 1. Verifying In-App- Purchase Receipts Locally in Swift kaz.yoshikawa@gmail.com iOS Tokyo Meetup September 2019
  • 3. Kaz Yoshikawa • Electricwoods LLC / Digital Lynx Systems Inc. • e-mail: kyoshikawa@electricwoods.com • twitter: @codelynx1 • Working History • Adobe Systems (Tokyo) • Lionbridge (Tokyo) • Quark (Tokyo / Denver) • Hummingbird Communications (Mt. View, USA) • Fact International (Vancouver, Canada) • Perle Systems (Toronto, Canada), etc.
  • 4. How to verify In-App-Purchase Receipts “Locally”? Show me the code.
  • 5. Verifying receipts via server • There are many articles about how to verify receipt through your trusted server • iOSの月額課金レシート検証をサーバーサイドで行うときのTipsまとめ • iOS In-App Purchase実装で必ず知っておきたい隠れた罠 • Apple App Store Receipt Validation with Swift and Go • Validating in-app purchases in your iOS app • レシートのverifyとSandbox • 自動購読課金について【iOS編】
  • 6. Verifying receipts locally • Very few articles available: • Suggestions like: • Use “ASN1C” to access ASN.1 format • Verify the receipt is signed by Apple • Use OpenSSL • They do not show any working code. • Hey ! show me the code.
  • 7. Disclaimer • This presentation material is not for: • How to write secure code • How to prevent from code cracking • Discouraging to write less secure code
  • 8. Steps to verify • Obtain Apple’s root certificate • Your app receive a receipt • Verify if the receipt is signed by Apple • Extract purchases from the receipt • Verify if a purchase is expired or cancelled • Unlock contents if necessary
  • 9. Obtain Apple’s root certificate Apple Root Certificates Apple Inc. Root Certificate Apple Computer, Inc. Root Certificate Apple Root CA - G2 Root Certificate Apple Root CA - G3 Root Certificate Apple Intermediate Certificates Apple IST CA 2 - G1 Certficate Apple IST CA 4 - G1 Certficate Apple IST CA 5 - G1 Certficate Apple IST CA 8 - G1 Certficate Application Integration Certificate Application Integration 2 Certificate Application Integration - G3 Certificate Developer Authentication Certificate Developer ID Certificate Software Update Certificate Timestamp Certificate WWDR Certificate (Expiring 02/07/23) WWDR Certificate (Expiring 02/14/16) Worldwide Developer Relations - G2 Certificate Apple PKI Apple established the Apple PKI in support of the generation, issuance, distribution, revocation, administration, and management of public/private cryptographic keys that are contained in CA-signed X.509 Certificates. https://www.apple.com/certificateauthority/
  • 10. Find hash (sha256) of the “AppleIncRootCertificate.cer” $ shasum -a 256 AppleIncRootCertificate.cer b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 AppleIncRootCertificate.cer Use this to ensure AppleIncRootCertificate.cer is genuine
  • 11. Load the Root Certificate var appleIncRootCertificate: Data { if let url = Bundle.main.url(forResource: "AppleIncRootCertificate", withExtension: "cer"), let data = try? Data(contentsOf: url) { // make sure the certificate is not fake one let sha256 = Data(base64Encoded: "sLFzDsvH/0UFFCxJ8Slebtpryu1+LGjFvpG1oRAB8CQ=") if data.sha256 == sha256 { return data } } fatalError("error: failed to read the certificate.") } Check hash against hardcoded base64 hash value
  • 12. Receiving receipts Bundle.main.appStoreReceiptURL if let url = Bundle.main.appStoreReceiptURL { do { let receiptData = try Data(contentsOf: url) // ... } catch { } }
  • 14. Check if it is signed by Apple let pkcs7 = try PKCS7(data: reciptData) let appleX509cert = try X509Certificate(data: self.appleIncRootCertificate) guard let appleKey = appleX509cert.publicKey?.key else { print("x509 public key not found."); return } print(appleKey as NSData) // check if one of these certificates is signed by apple let signedByApple: Bool = { print("certificates:") for certificate in pkcs7.certificates { if let signedKey = certificate.publicKey?.key { print(signedKey as NSData) if signedKey == appleKey { return true } } } return false }()
  • 15. Check all purchases if let inAppPurchases = receipt.inAppPurchases { for purchase in inAppPurchases { guard let productIdentifier = purchase.productId else { continue } print(productIdentifier) print(purchase.purchaseDate ?? "n/a") print(purchase.originalPurchaseDate ?? "n/a") print(purchase.cancellationDate ?? "n/a") print(purchase.expiresDate ?? "n/a") // ... } } What to check is not covered by this presentation.
  • 16. Recap