iPhone application purchase verification -- possible?
- by Sedate Alien
The iPhone 3.0 SDK's StoreKit.framework provides support for in-app purchases to give the user additional content, functionality and so on. It is possible for an app to send the transactionReceipt property of SKPaymentTransaction objects to the developer's server for verification of successful purchasing before granting service.
Is there any analogous SDK to verify the initial application purchase itself? A developer that wishes for their server to only provide services to genuine applications (i.e. not pirated) without using IAP could do so by verifying the application in this manner, e.g. ensure that only users with the correct transactionReceipt are catered for.
I understand that this approach would still be vulnerable to replay attacks; a dedicated group of pirates could share a valid transactionReceipt. However, my server provides a consumable service to users, i.e. once they've connected and done the work, it needn't work a second time so replay attacks are nullified.
The service that my app provides is relatively niche. I could distribute it on the App Store as a free application that requires at least one IAP to do anything useful, but I am lead to believe that this would be a very unpopular move among users as it would be considered misleading. If I distribute it as a paid app, I do not know how to ensure that only genuine apps can access the webservice. This is important as every invocation of the webservice costs me money!
What are my options?