If you are using IAP in your app and want to keep this hack from working you should be validating receipts. It isn't hard to do, check out https://github.com/carsonmcdonald/iap-validator for an example.
I totally agree, the best practice is to validate transactions before delivering content.
It wasn't clear from the article if the method could bypass that. It would have to provide valid transaction ids to the app developer's server. That seems a little too sophisticated or impossible, so you're probably right.
I guess we should really just be surprised this wasn't done sooner.
>It wasn't clear from the article if the method could bypass that. It would have to provide valid transaction ids to the app developer's server.
Even if this method does manage to bypass Apple's validation, then it is Apple's problem and they will fix it quickly. But it is much more likely that developers just haven't bothered to validate receipts.
You have to do it on the server. And it's a pain to implement correctly, full of cryptic error codes. I imagine many developers skip it since it's not required by Apple.
The other thing is that you're dependent on the validation server's availability to check the receipts. Apple's got great uptime in this respect (and others), but there have been outages (a big one last September: http://www.ilounge.com/index.php/news/comments/app-store-suf...).
It's a tradeoff, really, that most IAP implementors consider:
Cost of support and loss of goodwill when legitimate customers run into issues vs. loss of revenue from pirates (heretofore only jailbroken phone users) who likely wouldn't have purchased anyway.
It makes fiscal sense for big players with big IAP scale like Zynga to strictly validate. Little players may find it is less critical to the bottom line to be strict about it.
+1
Totally agree, it is actually pretty easy and worth it if you already have to have a server. If you don't already have a server, then it probably isn't worth adding one.
Apple does not require it because its not their job. Its the app developer that's losing money because of this not Apple. They provided a way to do it right.
Probably mostly game apps where the item being sold is purely virtual. It seems to me like the extra cost of validating receipts for that use case wouldn't be worth it.
It wasn't clear from the article if the method could bypass that. It would have to provide valid transaction ids to the app developer's server. That seems a little too sophisticated or impossible, so you're probably right.
I guess we should really just be surprised this wasn't done sooner.