0

I am researching what's the best way to do a subscription validation without making users login. I read Apple doesn’t recommend Online validation because of security reasons: HTTPS request can be intercepted via man-in-the-middle attack. (Source - https://blog.apphud.com/receipt-validation/)

This has me thoroughly confused. Does apple not force HSTS so the receipt validation is open to man-in-the-middle attacks?

What's the best way to do a no-login receipt validation on iPhone apps for subscriptions? If I do server-server without login, then won't sending my back-end be susceptible to hackers just spoofing a userId?

Illusionist
  • 5,204
  • 11
  • 46
  • 76
  • HSTS won't help you, because the risk comes from the fact that you don't control the iOS device. The user can MITM or even completely spoof Apple's receipt validation server. The "bad actor" here is not some attacker on the Internet, it is the device owner. If you rely on your own server for validation then there is still some risk that the response can be spoofed, but you can include a digital signature in your server response which now requires a code-level as well as a network level attack – Paulw11 Feb 16 '21 at 01:38
  • Thanks - but won't my app have the same code-level verification? – Illusionist Feb 16 '21 at 01:50
  • 1
    No, the difference is between getting a yes/no answer from Apple's server (which uses a well-known and documented format) vs getting a yes/no answer from your server which you control and you can build more verification and security. It is still possible for people to spoof or attack the process but you have made it a lot harder. – Paulw11 Feb 16 '21 at 02:07

0 Answers0