Friday, October 18, 2013 [Tweets] [Favorites]

Modern Receipt Validation

Apple’s sample code for Mac App Store receipt validation still uses OpenSSL, which as of Mac OS X 10.7 we are not supposed to dynamically link against. You can statically link with OpenSSL, but Satoshi Numata has posted some more modern code that uses only the built-in libraries (via Craig Hockenberry).

2 Comments

In my MAS receipt validation code there's this comment:

// Reference:
// https://developer.apple.com/library/mac/releasenotes/General/ValidateAppStoreReceipt/index.html#//apple_ref/doc/uid/TP40010573-CH1-SW8
// https://gist.github.com/sazameki/3026845
// https://github.com/roddi/ValidateStoreReceipt/blob/master/validatereceipt.m
// https://github.com/mikestew/AppReceiptParser

I took a look at all this and built something of my own using much less Objective-C objects. I made sure it works on 10.6. Satoshi's code is really great not only because it does not use OpenSSL, but also because it is very readable.

It's not an easy problem. I find it funny, but not that surprising, that there are apps on the Developer Tools category of the Mac App Store dedicated to creating multiple obfuscated variants of receipt validation code. One of them is $299.99. There's definitely a market out there to help developers with difficult things.

I was looking at Numata’s code again because of the recent certificate issues. It looks to me like there are two problems with it: (1) it does not validate using the receipt’s creation date, and (2) it does not check that the receipt was signed by Apple’s certificate.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment