[Solved] receipt validation questions

Hi,

I got the unity IAP system working correctly, even tested in on an android device and it all seems to work.

However I don't fully understand the receipt validation. I basically use a copy pasted code from the manuals.
What I understand the least is the IAP obfuscator, I have no idea why and how to use this, especially for multiple platforms (I target android, amazon, ios, osx and windows 10).
I understand I can copy my google play license key in there, but how about on apple? how is this used? what does it do?

the code I use for receipt validation (from the manual)
#if RECEIPT_VALIDATION
if (Application.platform == RuntimePlatform.Android ||
Application.platform == RuntimePlatform.IPhonePlayer ||
Application.platform == RuntimePlatform.OSXPlayer) {
try {
var result = validator.Validate(e.purchasedProduct.receipt);
Debug.Log("Receipt is valid. Contents:");
foreach (IPurchaseReceipt productReceipt in result) {
Debug.Log(productReceipt.productID);
Debug.Log(productReceipt.purchaseDate);
Debug.Log(productReceipt.transactionID);

GooglePlayReceipt google = productReceipt as GooglePlayReceipt;
if (null != google) {
Debug.Log(google.purchaseState);
Debug.Log(google.purchaseToken);
}

AppleInAppPurchaseReceipt apple = productReceipt as AppleInAppPurchaseReceipt;
if (null != apple) {
Debug.Log(apple.originalTransactionIdentifier);
Debug.Log(apple.subscriptionExpirationDate);
Debug.Log(apple.cancellationDate);
Debug.Log(apple.quantity);
}
}
} catch (IAPSecurityException) {
Debug.Log("Invalid receipt, not unlocking content");
return PurchaseProcessingResult.Complete;
}
}
#endif


Hope somebody can clear this up, thanks!

 

Hi @wouter_vugt,

Receipt validation is useful to avoid giving out products that are supposed to be purchased to people providing fraudulent receipts. There are many ways that users can trick apps into thinking that they have paid for products when they haven't, receipt validation contacts the relevant stores and verifies the transaction is legitimate before telling the application to release the product to the user. Although it's not a guarantee (as with anything in security) it can help to catch many cases!

The reason you need the secret keys obfuscated is so that hackers can't see or change them to anything they want. There is a more detailed explanation in the manual page: https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

In the Obfuscator, you don't need to add anything for Apple because their root certificate comes bundled with IAP. Google does there validation differently, which is why you need to provide a key from them. Currently we only support Google Play, iOS and OSX for receipt validation - Windows and Amazon are not yet supported. This is why receipt validation code is enclosed in the RECEIPT_VALIDATION ifdef - to make sure that the code isn't used in unsupported platforms

 

Thanks for your reply!

So from what I understand, I don't need to do anything for iOS and OSX for receipt validation, and only use the obfuscator for receipt validation on android?

will windows and amazon be supported in the future?

 

Hi @wouter_vugt,

For the first part of your question, you still need to use the obfuscator for Apple receipt validation, to create the AppleTangle file - you just don't need to add any information to it for Apple the way you do with Google.