Forum Xamarin.iOS

How Can I Validate Mac App Store Receipt Locally?

On Mac apps you should validate the app store receipt to ensure the .app wasn't copied and running on an unauthorized computer. Finding the receipt is easy. Reading and parsing it is another matter. All of the examples are in Objective-C and seem to include libraries not part of Mono?

For example:

/* The PKCS #7 container (the receipt) and the output of the verification. */
BIO *b_p7; // Where in Mono/Xamarin?
PKCS7 *p7;

/* The Apple root certificate, as raw data and in its OpenSSL representation. */
BIO *b_x509;
X509 *Apple;

/* The root certificate for chain-of-trust verification. */
X509_STORE *store = X509_STORE_new();

/* ... Initialize both BIO variables using BIO_new_mem_buf() with a buffer and its size ... */

/* Initialize b_out as an output BIO to hold the receipt payload extracted during signature verification. */
BIO *b_out = BIO_new(BIO_s_mem()); // Where in Mono/Xamarin?

Does anyone have a working example of how to validate a local receipt for Mac apps? Unless you do so, nothing prevents someone from copying the .app file over to any computer and running your app. Only receipt validation ensures your Mac app is running on the computer that downloaded the app from the Mac App Store.

I appreciate any feedback.

Thanks!

Posts

  • JohnConnersJohnConners GBMember ✭✭

    Did you ever figure out how to do this?

  • DavidCarawayDavidCaraway USBeta ✭✭

    @JohnConners I ended up creating a dynamic library in Objective-C largely based on this example: https://gist.github.com/sazameki/3026845

    I then used a standard DLLImport to call the functions. It will not deter hard core hackers, but it's a niche app and I'm not overly worried. I just wanted to deter ordinary users from copying the app.

  • JohnConnersJohnConners GBMember ✭✭

    Thanks @CarawayDJ! I actually ended up getting it working in C# using the Bouncy Castle library. Pretty easy for a hacker to circumvent but like you I was only concerned with regular users.

  • ChrisLamont.3643ChrisLamont.3643 USUniversity ✭✭

    I'd love to see the C# implementation if you don't mind?

    @JohnConners said:
    Thanks @CarawayDJ! I actually ended up getting it working in C# using the Bouncy Castle library. Pretty easy for a hacker to circumvent but like you I was only concerned with regular users.

  • JohnConnersJohnConners GBMember ✭✭

    So when I updated my app to the unified (mobile) framework I wasn't able to get Bouncy Castle to work any longer so I created a helper library doing exactly what DavidCaraway did above using the code linked to. If you're able to use Bouncy Castle in your implementation drop me an email - [email protected] - and I'll send you the code.

Sign In or Register to comment.