Graphics guru and some-time developer Sean Christmann has offered some sage advice for Mac App Store coders who might be worried that their offerings are susceptible to what he describes as “a massive failure in the implementation of Apple’s receipt system.”
In his Craftymind blog, Christmann explains why some devs have found themselves in this situation in the first place:
“Apple’s current documentation on how to validate receipts is fairly complex,” he writes, “but the sample code and Apple’s own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor.”
He suggest that developers using Apple’s default security should bolster that by adding additional validation steps. Specifically, he says that coders should verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
He also recommends verifying that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into applications. If they do not match, verification fails.
Christmann points out that Angry Birds, which appears to have become the whipping boy for the simple hack, has implemented only two out of the five available validation steps suggested by Apple.Leave a comment on this article