Hacker News new | comments | show | ask | jobs | submit login

"When Store Kit returns a completed purchase to your payment queue observer, the transaction’s transactionReceipt property contains a signed receipt that records all the critical information for the transaction. Your server can post this receipt to the App Store to verify that the receipt is valid and has not been tampered with."

A double check to be sure nothing is amiss I guess. I do find it strange that they can't guarantee this callback is not trigged by a response from a HTTPS source. Actually maybe they are and this fake cert is what is allowing it so they added this two phase check just in case. But this ability to verify is also kept around if you store these receipts on your server. Before you write them to your DB you can check with Apple to make sure they are legit.

Sounds plausible.

Another curious thing in the video demo is the alert dialog popup box that is triggered during the fake purchase, the one with the "Like" button and "Cancel" in Russian. Perhaps the storekit receipt transmission protocol allows for injecting actions on the device such as opening alert boxes, in addition to just posting a signed JSON receipt?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact