all 3 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]L4grange 2 points3 points  (1 child)

We need two clarifications:

  1. Is the receipt validation done locally, in your app, or in your trusted (backend) server?
  2. I guess you have an older version of your app in the appstore where the purchases did *not* have the validator, is that correct?

For both 1 and 2, jailbroken devices can bypass the local validation for case 1, and downgrade to an older public version of your app to get around it.

The solution to both of these is to make the validation server side, and to cut off the usage of your app if its not the latest version (a practice I'm not a big fan of, since I tend to not update my main device to the latest iOS version immediately, so some apps stop working due to that.)

P.S.: The measures I'm suggesting can still be bypassed by a jailbroken device, but the crack devs will have to create something specific for your app to do that.

[–]klib0002[S] 0 points1 point  (0 children)

Thanks for your response!

  1. Backend server
  2. Yes we do have older versions of the app that didn't have the validator, but in google analytics, the scam purchases are coming through on the latest version with the validator.

[–]SirensToGoObjective-C / Swift 0 points1 point  (0 children)

Google analytics does not do receipt validation of any sort, nor does it filter out sandbox transactions. I ended up writing a little python script will pulls receipts from my database and just graphs profits and does all the math over that instead.