Receipt Validation Questions



  • I integrated SIS into my app and I'm using the on-device validation system, but my analytics still show me getting tons of "purchase complete" transactions with very few corresponding transactions in the official iTunes sales report, so I seem to have a fair bit of fraud.

    1. Are there any extra steps needed to activate on-device validation for iOS? The 5 Step process in the SIS documentation is mostly about the Google Play Public Key, no mention of iOS. I did Steps 4 & 5, but I might be missing something else.

    2. Is there a callback function for validation failure? I'd be curious to compare the numbers. If I'm getting 100 false "purchase complete" events a day it seems like validation isn't working, but if I'm getting 5,000 "validation failed" events in the same time then it's working almost perfectly!

    3. Is the server-side validation only for subscriptions? The documentation only seems to mention subscriptions (phrases like "If you want to use and verify subscriptions in your game, you will have to set this key" in SIS documentation, and "The app-specific shared secret is a unique code to receive receipts for only this app’s auto-renewable subscriptions" in App Store Connect), but it would be nice to have an extra layer of fraud detection for plain old IAPs.

    Thanks in advance!



    1. Client-side receipt validation is the least protective solution against fake purchases, due to it happening only locally. Client-side receipt validation is not something developed in Simple IAP System, but supported and implemented in Unity IAP itself. As written in its official documentation, there are no further instructions for iOS.

    https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

    1. No separate callback, please open the ReceiptValidatorClient script and search for "failed".

    2. No. Server-side receipt validation is absolutely needed for subscriptions, as otherwise you would not be able to check for expired subscription products for removing access to them. That's why they are mentioned explicitly in that documentation section. However, server-side receipt validation verifies any type of product - consumable, non-consumable and subscription products. I'm not sure where you got that last sentence from which mentions auto-renewable subscriptions.


Log in to reply