from Hacker News

new iOS IAP hack (no jailbreak required)

by bignoggins on 7/19/12, 6:16 AM with 1 comments

• by stevenwei on 7/19/12, 6:40 AM

  Isn't this only an issue if your app is submitting receipt validation requests directly from the device to Apple's validation server? E.g.

    device -> itunes.apple.com/verifyReceipt
  

  I thought the best practices for receipt validation involved having your app submit the receipt to your own server first, and then performing the receipt validation with Apple on the server side. E.g.

    device -> yourownserver.com -> itunes.apple.com/verifyReceipt
  

  In which case, even if someone man-in-the-middle's apple.com on their device, it doesn't affect the receipt validation that you perform server side. Or am I misunderstanding something and the hack is occurring at a lower level than that?