How is storing the shared secret password safe? #263
Comments
|
@San-Jeevan SwiftyStoreKit simply provides a way to send the shared secret to the Apple endpoints (https://buy.itunes.apple.com/verifyReceipt and https://sandbox.itunes.apple.com/verifyReceipt) when verifying the receipt. This is done in the AppleReceiptValidator class, which is simply a reference implementation for how to do receipt validation with Apple. Sounds like I should clarify this in the README so that users are aware of any security implications and quote any recommendations by Apple on this matter. |
|
With the latest changes on develop, the shared secret is now used only by I'm closing this as the README now better explains the security considerations around this. Feel free to reopen if you feel the documentation could be improved further. |
The new version of this component requires shared apple password as input parameter to verify receipt. If someone reverse engineer the binary they can retrieve the password and use it for malicious purposes!!
the shared secret is supposed to be used on own server for verifying receipts
The text was updated successfully, but these errors were encountered: