Recipes: Validating Mac App Store Receipts

URL: https://github.com/roddi/ValidateStoreReceipt

Quality: WIP, but in use by a number of OSX devs

One of the interesting parts of life on the Mac Apps store is that Apple gives you all sorts of rules about your apps behavior, but basically only 5 lines about how to to ensure that you app is, in fact, being launched on on the machine of a legit app purchaser, and not freshly downloaded off some ‘warz board.  Validating the MAS  (“MacAppStore”) receipt is one basic way to ensure the copy being launched is legit.

The code referenced here, created by Ruotger Skupin and a number of other contributors,  allows you to pass in the the path to the receipt that gets stored in your app’s bundle and see it if that receipt is still cryptographically valid (i.e., it may have been hacked).

Of course, your binary could get patched to circumvent this check, and there are lots of other ways people can get around any safeguard you build in… but its a good idea to check anyway.  As Apple notes in their online docs (Apple developer logjn required), making this a simple if/then check in your code is pretty easily spotted and defeated …you will both want to obfuscate the check itself and probably check for the validity of the receipt in several places and add extra measures to ensure your app quits in the case of a failed validation check.