Keeping sharedSecret secret
FergalMohan opened this issue · 1 comments
Hi Matt, I'm hoping you can clarify something around the use of the password field when using the verifyTransactionWithMethod: method. Apple recommends that a Server is used to combine the SharedSecret (password) with the receipt before calling Apple to verify it so that the secret is not embedded in the App. AFAICR this is specifically for auto-renewing subscriptions but might apply to other IAPs. CargoBay seems to be subverting that recommendation by combining the SharedSecret on the Client side, or is it doing something special that eliminates the need for a intermediate Server in the first place ?
Fergal
verifyTransactionWithMethod: is provided as a convenience, and does not prescribe any one particular way of doing this. A password may be sent with the request, but it is not required. I do not have any personal recommendations beyond what Apple might suggest.