iOS in app-purchase receipt validation - sandbox vs production url?

Question

I followed Ray Wenderlich\'s tutorial to implement receipt validation in my app. The code connects to Apple\'s validation server directly from my app rather than going thro

Answer 1

The solution is quite simple and it was explained on session 308 of WWDC 2012 (the video is available for registered developers). The session was related to subscriptions but you can extend it for in app purchases.

What happens is that when you develop you hard code your app to validate the receipt with the sandbox. Then you send the app to review, you clearly hard coded your app to validate the receipt with the production server.

But nothing prevents you from doing the validation in two steps:

• always validate the receipt with the production server first, this will apply for 99% of your app life. If the receipt is validated, you're done.
• if previous validation failed, just validate the receipt with the sandbox server. This should cover your development needs and of course fake receipts will fail validation too.

By the way, and this is officially stated in the documentation ONLY for subscriptions, if you try to validate a sandbox receipt with the production server you will get a specific status code; there is another status code that covers the case of production receipt validated with the sandbox server. In all cases the two worlds, sandbox and production, are always separated.

Don't forget also that with iOS7 added a new safer way to manage receipt validation directly from the device: consider in fact that receipt validation directly from the client (that you don't fully control, e.g. with jailbroken devices) is less secure than receipt validation done through a server you control.