Earlier this year (around July) Apple announced that a vulnerability had been discovered in the in-app purchasing mechanism, which they discuss here. They provide some Objective-C code which:
- Checks the information returned matches the information in the
- Checks that new transactions have a unique transaction ID
- Verifies the SSL certificate
- Verifies the receipt's signature
I've started a port of that code to MonoTouch, so far it only performs the first two mitigation steps. The
VerificationController c# class is a gist.
Adding this code to a simple in-app purchase implementation would turn something like this:
into something like this:
where there is now an additional web request round-trip in your purchase code, plus a pile of comparisons to see whether the the StoreKit receipt matches the one you requested from iTunes directly. It also stores a list of every transaction ID in
NSUserDefaults that is used to identify duplicates (which is an indication that the responses are being faked).
WARNING: the c# port currently only performs rudimentary checks comparing the receipt returned by StoreKit to one you've attempted to independently verify with iTunes. Without the SSL certificate and signature checks your code will still be vulnerable to sophisticated hacks on the DNS config to re-route requests and fake the responses. Please consider this a starting point for improving the security of your in-app purchase code.
NOTE: Apple says this vulnerability will be addressed in a future version of the operating system!