Have you tested whether this is effective in eliminating jailbroken hacks? [1] In my experience, this has been the bulk of illegal transactions being made for in app purchases and its tough to validate server-side. I agree though that making the IAP process less complex is a win for developers.
When one of my apps was pirated a few years ago, I became extremely interested in iOS security. Based on my knowledge, I can vouch for the accuracy of the article you linked to.
The article explains quite well what IAP makes secure and what it does not. If you are using IAP to deliver content stored on Parse, Parse's SDK (and server code) makes this process very secure. The attack goes like this:
1) the attacker fakes receipt and sends it to Parse hoping that Parse will deliver the content,
2) Parse will send the receipt to Apple and ask if the receipt is valid and indeed for the product that is being requested,
3) Apple will acknowledge that this receipt is fake or for a product not being required,
4) Parse rejects the request, and no content is delivered. Success.
However, if you are using IAP to unlock features that are already shipped with the app, IAP does not prevent against binary manipulation attacks.
Awesome, in theory this is how it should work. I'm actually more curious as to how you handle it practically though. Because for us, validating the receipt from Apple takes time, so if you are first making a request to Parse and then Parse has to make a request to Apple, the added latency poses a real threat to the user cancelling the transaction, especially on a mobile device with a crappy connection. This is why I see server-side validation as non-ideal. But such is the state of mobile development.
Most of the jail broken cracks are trivial to detect client side. Otherwise... They aren't going to pay anyway, might as well make the experience better for payers and not block on validation( but still track invalid transactions). And besides, if they're willing to install a hackers DNS server and ssl cert, they won't have money for long.
I agree. The hackers will only be a small percentage of your user base (guessing <=5%), if you have a problem at all. This issue is more problematic if you track revenue metrics, and so JB users may inflate your numbers considerably, if you're not cognizant.
It should stop that type of piracy for IAP for the most part. From what I have seen those hacks just fake receipts that will not pass this type of validation. What could happen at some point is jailbreak hacks using real receipts that do pass validation. For that to happen someone would have to make a real purchase and then give that receipt out. That makes it traceable back to the original receipt purchase and adds an initial hurdle. If this were to become popular it would be easy enough to just catalog the hacked receipts and reject them. Apple could do that or it could be something that gets integrated into the system before the request even goes to Apple. This type of server side validation is a pretty solid defense against piracy.
Officially we should not be commenting on iOS 6 given the non-disclosure nature of the preview. Maybe I can discuss what Parse offers that would be difficult for anyone else (Apple/Google/Amazon) to match:
1. iOS 4, iOS 5 compatibility. Today, the most common iOS development target platform is still iOS 4. Using Parse your in-app purchase will be able to work for the customers who are not on the newest iOS platform.
2. Attaching metadata for products. At Parse a lot of our customers want to attach metadata information to products (categories, authors, genres, the publishing date, actors, etc) and to query products based on this information. You can imagine this is a very handy feature for an app that sells comic books. This is very natural to do on Parse because Parse offers a query-able, key-value data store. In fact, anyone, with or without technical background, would be able to use the data browser to add the metadata to the Product class.
3. Hosting content on Parse requires no App Store review, thus introducing no delay/resubmission via iTunes Connect.
4. Hosting content on Parse has no limit on the number of files/total size of files.
5. Cross app-store in-app purchase hosting. At Parse we see a lot of developers making the same app for Android and iOS. By hosting the content on Parse, you can use Parse for both your iOS and Android app. Parse would know how to validate the purchase receipt against iTunes Connect, Google Play, Amazon AppStore, and other App Stores. Currently Parse does not offer Android support, but we would be able to do this if there is sufficient demand.
>> 3. Hosting content on Parse requires no App Store review, thus introducing no delay/resubmission via iTunes Connect.
I think that's incorrect unless you are not selling the content through IAP. You would still need to create an IAP product in order to complete the iTunes IAP receipt validation.
However, for most games, it's designed so users buy virtual currencies and content purchases are not directly tie in to IAP products.
You are correct in that you would need to create your product and get your product approved. However, the product's associated content does not need to be approved. It is my understanding some App store (not necessarily Apple) in the future may require the content itself be reviewed.
Does Parse support Newsstand yet? I mean in an easy-to-set-up-we-already-did-everything-for-you way, not just in a "yeah, you can use Newsstand with Parse" sort of way.
Newsstand also includes background downloading, issue management and an issues list. Some sort of library is also needed, so users can see what they have downloaded and what is on the device. Most indie developers I know struggle with these things if they don't use a pre-packaged publishing suite, like Adobe Digital Publishing or Magster.
Most Newsstand apps are made by larger media companies because they have the money to make them. Indie developers aren't on Newsstand too much right now because we can't figure it out. My own magazine is just an app for the iPad without Newsstand support, and I know a lot of other magazines masquerading as apps when they really should be in Newsstand.
I think if you were to simplify things you would find a large market. Almost every magazine I've seen handles Newsstand the same way, its very standardized, which is perfect for you guys. Despite being standard, the code is frustratingly complex and difficult to implement. You might not see it now because the people that publish magazines aren't necessarily the coders you talk with every day. But small publishers, indie e-zine publishers and other periodical publishers (online and off) know the future is on places like the iPad, they just can't find someone experienced enough to code it from scratch for a low price. They live in a print or online world and iOS developing is a black box.
Does Parse validate the SSL certificate in a way that can't be patched at runtime? If not, it's just as possible to selectively spoof the Parse request as the Apple request.
Sorry, but untrusted hardware can always win. For a case study of how hard this is to get right, see Microsoft's Xbox 360 and note that it was still fully compromised at least once.
