If you are developing an application for Mac and want to distribute it in the Mac App Store, you will be inevitably faced to receipt validation. This entry explains what is receipt validation and why Receigen can help you.
What is receipt validation ?
When you purchase an application from the Mac App Store, it installs into the /Applications folder of your Mac. Inside the application bundle, the Mac App Store application places a receipt file. This file is a record of sale that can be used to check if the installed copy of the application is authorized to run. Apple is providing a comprehensive documentation on the technical issues.
Why do I need receipt validation ?
If you fail to property validate the receipt file, anybody with a copy of your application can run it, with or without proper authorization. This happened to some developpers in the early days of Mac App Store.
What are the steps of validation ?
In order to code the receipt validation, you need to understand:
- how asymetric cryptography works
- how signature are attached to a container
- how ASN.1 encodng/decoding works
- how to obfuscate code to harden the reverse engineering.
Here is the basic workflow to use when validating a receipt:
- Locate the receipt file to load it: this is an easy part as its location is fixed inside the application bundle.
- Verify that the receipt is properly signed: the receipt file is a PKCS#7 container that contains the receipt data and that is signed by Apple.
- Extract the receipt data: the receipt data are encoded in ASN.1 format, which is a compact binary format widely used in cryptography.
- Check that the receipt data matches the bundle information and the machine the application is running on.
- Make sure that the checking code is secure. You should hide strings, constants, function calls and make sure that the validation code changes between each release of your application.
Damn, that seems a lot of work
Yes, it is. And I am sure that you have better to do than spending hours on this topic. Receigen has been designed to cope with all this tedious work, by ensuring that you can focus on your application and only your application.
Here is what Receigen brings you:
- Smart generation of validation code: all it needs is the bundle identifier and version.
- Seamless integration with Xcode: Receigen can be invoked on the command line easily.
- Human readable code: Receigen produces a human readable code but still obfuscated when compiled.
- Never twice the same code: Receigen embeds a code generator that produce a different output each time it is invoked.
- A tiny price: think about the time you will have spent to produce the same code.