iOS in-app purchases and Firebase
1,565 views
Skip to first unread message
Zack Morris
May 23, 2014, 6:42:02 PM5/23/14
to fireba...@googlegroups.com
Hi I have a general question about verifying iOS in-app purchases with Firebase since there is no central server (normally a node/php/ruby script would verify a receipt at https://buy.itunes.apple.com/verifyReceipt). Here are some relevant links:
http://stackoverflow.com/questions/17695901/ios-verify-app-store-purchase-id-by-developer
http://www.raywenderlich.com/23266/in-app-purchases-in-ios-6-tutorial-consumables-and-receipt-validation
http://ios.biomsoft.com/2011/09/18/verifying-apple-app-store-receipts-for-in-app-purchases-with-php-and-curl/
http://stackoverflow.com/questions/1298998/verify-receipt-for-in-app-purchase
http://stackoverflow.com/questions/1581246/how-can-my-server-securely-authenticate-iphone-in-app-purchase
I’m thinking about saving the receipt somehow in Firebase so that other users can verify independently that a user has paid. I may not even implement security rules on the server for it, but leave that logic client-side. The gist of the issue is that if one player pays for a privilege of some kind, it would feel like cheating if another player managed to get the same functionality without paying.
So I’m trying to figure out a way to independently verify that a player has really paid, perhaps by querying https://buy.itunes.apple.com/verifyReceipt directly from each player’s device, with the other players’ receipts. Like maybe I could tie the receipt and UDID together somehow, but I’m hesitant to make too much info public.
Does anyone know the pros/cons of this? Like are the receipts still valid once the purchase has completed? Any security ramifications? Sorry this is a little esoteric, but it seems like it might be a common issue someday.
Thanks,
Zack Morris
http://stackoverflow.com/questions/17695901/ios-verify-app-store-purchase-id-by-developer
http://www.raywenderlich.com/23266/in-app-purchases-in-ios-6-tutorial-consumables-and-receipt-validation
http://ios.biomsoft.com/2011/09/18/verifying-apple-app-store-receipts-for-in-app-purchases-with-php-and-curl/
http://stackoverflow.com/questions/1298998/verify-receipt-for-in-app-purchase
http://stackoverflow.com/questions/1581246/how-can-my-server-securely-authenticate-iphone-in-app-purchase
I’m thinking about saving the receipt somehow in Firebase so that other users can verify independently that a user has paid. I may not even implement security rules on the server for it, but leave that logic client-side. The gist of the issue is that if one player pays for a privilege of some kind, it would feel like cheating if another player managed to get the same functionality without paying.
So I’m trying to figure out a way to independently verify that a player has really paid, perhaps by querying https://buy.itunes.apple.com/verifyReceipt directly from each player’s device, with the other players’ receipts. Like maybe I could tie the receipt and UDID together somehow, but I’m hesitant to make too much info public.
Does anyone know the pros/cons of this? Like are the receipts still valid once the purchase has completed? Any security ramifications? Sorry this is a little esoteric, but it seems like it might be a common issue someday.
Thanks,
Zack Morris
Reply all
Reply to author
Forward
0 new messages