0

I want to validate iOS in-app-purchases using my own server. The iOS app will talk to my server which in turn will talk to Apple's server to determine if the IAP is valid. I'm fairly new to networking so I have a basic question: How can I make sure my iOS app is talking to my server securely?

I imagine the app will talk over https but I don't know how this works. Any advice on setting up https communication between the two (or alternate methods of secure communication) are greatly appreciated!

neowinston
  • 7,584
  • 10
  • 52
  • 83
SundayMonday
  • 19,147
  • 29
  • 100
  • 154

2 Answers2

2

Lawson has a point. You can't make your server perform the purchases directly at the AppStore. That has to be performed by your app.

It should request the available product identifiers from your server and then send an SKProductsRequest to the AppStore. If required it processes the purchase over the app store and tells your own server about it by sending a so called receipt. The server can validate the receipt directly at the AppStore. But that is the only thing the server can do it self at the AppStore.

You can read more about it here: Overview of In-App Purchase: Server Product Model

As for the connection between your app and your server, I don't think you have much of a (reasonable) choice but to use SSL. Almost anything more secure would require a PKI.

Tobi
  • 5,499
  • 3
  • 31
  • 47
  • How can I make my app talk to my server using SSL? Does the server or app need any special certificates? Sorry for the basic questions. I'm quite new to this. – SundayMonday Apr 16 '13 at 20:15
  • 1
    Well that depends. You need an SSL certificate. Either a 'trusted' one from someone like Verisign(Symantec) - which cost money - or you create your own. – Tobi Apr 16 '13 at 20:21
  • "How can I make my app talk to my server using SSL" is a separate question. It helps make Stack Overflow better if separate questions are made into ...well... separate questions! :) Here is one such question & answer: http://stackoverflow.com/questions/16048880/ssl-communication-from-ios-app-to-server – Olie Oct 26 '14 at 16:08
1

Sorry about the previous answer... I misread your question. You can have your server send a POST request to Apple's server, then parse the response.

https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html

Ryan Epp
  • 931
  • 1
  • 10
  • 21
Lawson
  • 624
  • 1
  • 5
  • 19
  • 1
    URL for Receipt validation has changed to: https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html – Simon Meyer Feb 05 '14 at 11:07
  • @Lawson. You might want to delete your previous answer, so you don't continue to lose reputation to down-votes. – Olie Oct 26 '14 at 14:49
  • Thanks... I'm pretty sure the original asker modified the question after I answered... originally it read as if they wanted to have in app purchases skip Apple. See the answer by Tobi. – Lawson Oct 27 '14 at 15:16