验证来自客户的应用程序购买收据 [英] Verifying In App Purchase Receipt from Client

问题描述

我（几乎）阅读了关于验证应用内购买的所有答案，实际上我已经以服务器端方式实现了它。但是管理服务器有时可能太贵了，理论上你可以从你的应用程序进行验证：基本上只是发送一个json到Apple并得到答案。
当然我知道在越狱设备上收据可能是假的（这就是你验证它们的原因）但是（我请原谅我的无知）为什么我不相信与Apple服务器的https连接？
我的意思是如果用户破解我的应用程序，没有真正的方法可以确定任何事情，但如果黑客是提供虚假收据的一般方法测试Apple就足够了吗？

I read (almost) all the answers on verifying in-app purchase, and actually I already implement it in a server-side fashion. But managing a server sometimes could be too much expensive, and in theory you could do the verify from your app: basically is just sending a json to Apple and get the answer back. Of course I know that on jailbroken devices the receipts may be fake (that's why you verify them) but (I beg pardon my ignorance) why I can't trust an https connection to the Apple server? I mean if the user hack my app, there's no real way to be sure of anything, but if the hack is a general method to provide fake receipts testing with Apple could be enough right?

要明确的是，收件人的应用内验证的安全级别是多少？是否可以添加一定程度的保护os是无用的？

To be clear, what is the security level of an in-app verify of recipts? Can it add some degree of protection os is useless?

推荐答案

这个答案很好地解释了为什么你必须使用服务器端检查来限制某些通用破解程序的效果，比如IAP cracker;除了链接内容传递API中的iTunes json请求是非常方便的，答案很快。

This answer explains quite well why you must use server side checking to limit the effect of some "general purpose" crackers, like "IAP cracker"; besides chaining the iTunes json request in your content delivery API is quite convenient and the answer is fast.

当然，如果您的目标是提供应用程序中已有但已锁定的某些内容，您可能会觉得为此专门设置服务器并不方便，但我会请你做这个实验：

Of course if your aim is to provide some content already in the app but locked, you may feel it is not convenient to setup a server specifically for this, but I will ask you to do this experiment:

1. 制作一个包含一些好内容的应用，这个内容已经锁定在应用中（所以没有内容服务器需要）


2. 添加一些分析只是为了跟踪这个锁定功能的使用情况


3. 一个月后，将购买数量与新用户数量进行比较使用付费功能。


4. 此时您将清楚地知道，仅为收据验证添加服务器脚本是一项不错的投资;除了有一些非常便宜的服务（例如：都市飞艇）我们已经为你做了这个，所以你不需要为此设置硬件。

1. make an app with some good content and this content already locked in the app (so no content server need)
2. add some analytics just to track the usage of this locked feature
3. after some month, compare the number of purchases with the number of new users using the paid feature.
4. at this point it will be clear for you that adding a server script just for receipt validation is a good investment; besides there are some services, which are very cheap (e.g.: urban airship) we already do this for you, so you don't need to setup an hardware for this.

这篇关于验证来自客户的应用程序购买收据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！