Back last year, that russian hacker created a way to validate in-app purchases without payment and this guy created a class to verify each purchase.
回到去年,这位俄罗斯黑客创建了一种无需支付即可验证应用内购买的方法,这家伙创建了一个类来验证每次购买。
As far as I know, this technique exposed by the hacker does not work on iOS 6 anymore, but I am not sure about that.
据我所知,黑客暴露的这种技术不再适用于iOS 6,但我不确定。
I am creating a new app for iOS 6 and trying to minimize the code to a minimum and even better than that, my in-apps involved hosted content with Apple, so I wonder if this added validation is really necessary for my case.
我正在为iOS 6创建一个新的应用程序,并尝试将代码最小化甚至更好,我的应用程序涉及Apple的托管内容,所以我想知道这个添加的验证对我的案例是否真的是必要的。
Remember that
- I am developing for iOS 6 and up;
- my in-apps have hosted content with apple, so even if the hacking technique works the person will never get the content hosted with apple.
我正在为iOS 6及更高版本开发;
我的in-apps已经托管了苹果的内容,所以即使黑客技术有效,这个人也永远不会得到用苹果托管的内容。
any thoughts?
thanks.
1 个解决方案
#1
0
The vulnerability should be addressed in iOS6, but that does not mean you should deviate from Receipt Validation best practices in general. See Verifying Store Receipts and In-App Purchase Receipt Validation on iOS for more information.
该漏洞应在iOS6中解决,但这并不意味着您应该偏离一般的收据验证最佳实践。有关详细信息,请参阅在iOS上验证商店收据和应用内购买收据验证。
As mentioned in the links above, Apple recommend you follow their best practices for receipt validation, be it on iOS 5 or iOS 6. "Simplicity of code" is not a good enough excuse to deviate from these guidelines. If you structure your code into well defined classes, you can abstract away all the receipt validation logic to its own class, making the code that uses it a lot cleaner anyway.
如上面的链接所述,Apple建议您遵循收据验证的最佳做法,无论是在iOS 5还是iOS 6上。“简单的代码”不足以成为偏离这些指南的理由。如果将代码结构化为定义良好的类,则可以将所有接收验证逻辑抽象到自己的类中,从而使得使用它的代码更加清晰。
If you connect to the App Store directly from the App for validation, the measures they explicitly state (see "My app performs validation by connecting to the App Store server directly. How am I affected?") should help. If you implement them in an abstracted way (in a category or class), then it should still keep your code clean.
如果您直接从App连接到App Store进行验证,那么他们明确说明的措施(请参阅“我的应用通过直接连接到App Store服务器来执行验证。我如何受到影响?”)应该有所帮助。如果以抽象的方式(在类别或类中)实现它们,那么它仍应保持代码清洁。
Even if your content is hosted by Apple, you're still giving yourself an extra safeguard against fraud. Apple are not perfect; they could slip up themselves leaving your app open.
即使您的内容由Apple托管,您仍然可以为自己提供额外的防范欺诈手段。苹果并不完美;他们可能会自己打开你的应用程序。
Ultimately, when you're dealing with your own revenue, you better play it safe than be sorry afterwards.
最终,当你处理自己的收入时,你最好安全地玩,而不是后来抱歉。
#1
0
The vulnerability should be addressed in iOS6, but that does not mean you should deviate from Receipt Validation best practices in general. See Verifying Store Receipts and In-App Purchase Receipt Validation on iOS for more information.
该漏洞应在iOS6中解决,但这并不意味着您应该偏离一般的收据验证最佳实践。有关详细信息,请参阅在iOS上验证商店收据和应用内购买收据验证。
As mentioned in the links above, Apple recommend you follow their best practices for receipt validation, be it on iOS 5 or iOS 6. "Simplicity of code" is not a good enough excuse to deviate from these guidelines. If you structure your code into well defined classes, you can abstract away all the receipt validation logic to its own class, making the code that uses it a lot cleaner anyway.
如上面的链接所述,Apple建议您遵循收据验证的最佳做法,无论是在iOS 5还是iOS 6上。“简单的代码”不足以成为偏离这些指南的理由。如果将代码结构化为定义良好的类,则可以将所有接收验证逻辑抽象到自己的类中,从而使得使用它的代码更加清晰。
If you connect to the App Store directly from the App for validation, the measures they explicitly state (see "My app performs validation by connecting to the App Store server directly. How am I affected?") should help. If you implement them in an abstracted way (in a category or class), then it should still keep your code clean.
如果您直接从App连接到App Store进行验证,那么他们明确说明的措施(请参阅“我的应用通过直接连接到App Store服务器来执行验证。我如何受到影响?”)应该有所帮助。如果以抽象的方式(在类别或类中)实现它们,那么它仍应保持代码清洁。
Even if your content is hosted by Apple, you're still giving yourself an extra safeguard against fraud. Apple are not perfect; they could slip up themselves leaving your app open.
即使您的内容由Apple托管,您仍然可以为自己提供额外的防范欺诈手段。苹果并不完美;他们可能会自己打开你的应用程序。
Ultimately, when you're dealing with your own revenue, you better play it safe than be sorry afterwards.
最终,当你处理自己的收入时,你最好安全地玩,而不是后来抱歉。