Tag Archives: security

Moving an app from Paid to Free

I’ve seen quite a few people saying that it isn’t possible to move an iOS app from paid to being free with an in-app purchase to unlock the full functionality. Fortunately they’re wrong.

“Traditionally” I would have had to remove version one from sale and offer a completely new app, which would have meant that existing users would have to pay again to get the same functionality. Or I’d have to support two apps. Or I’d keep the same app in the store and all existing users would get downgraded to the free version. None of these solutions seemed fair to existing users.

What I wanted was for people who had bought version one to get the full, unlocked version and for new users to be promoted for the paid upgrade.

Since iOS 7 came out in 2013 that it entirely possible. I’ll explain how it’s done here. This isn’t just some theoretical “I’ve seen the documentation” claim – I’ve done it with one of my own apps, Rootn Tootn.

The really short answer: take a look at the session 308 video from WWDC 2013. That’s the only information from Apple that explains how to do it. They have documented the API calls that are required but the actual process is left as an exercise for the interested student. And there are quite a few steps if you want to do it properly.

Firstly you need to get the app receipt. Before iOS 7 this only made sense for IAP but now they are available for all purchases and come in the same format as receipts from the Mac App Store.

Receipts have a number of useful features. In the past they have been used to validate purchase, and they can still be used for this. What’s interesting with the new receipts is that they include both the original purchase and the version number of that original purchase. This means that we can decide whether a user gets the paid functionally by looking for either an in app purchase or a purchase date before a particular time or, more likely, before a particular version.

When you download an app you should get a receipt automatically but you can also use the SKReceiptRefreshRequest class to force one to be generated. (This is also useful during development where, obviously, there is no receipt.)

Once the refresh has completed, you use [NSBundle appStoreReceiptURL:] to access the receipt.

Once you have the receipt the bad news starts.

It’s not in a user friendly format. And Apple do not provide any APIs to read it. Check out Apple’s documentation:

The outermost portion (labeled Receipt in the figure) is a PKCS #7 container, as defined by RFC 2315, with its payload encoded using ASN.1 (Abstract Syntax Notation One), as defined by ITU-T X.690. The payload is composed of a set of receipt attributes. Each receipt attribute contains a type, a version, and a value.

If security is important to you, you should probably write your own code to do this. ASN.1 is a standard format and it’s not that hard.

There are apps that generate the validation code, such as Tighten Pro and Receigen. I can’t vouch for either of them but the reviews seems positive.

There are also Open Source projects that do the same thing. I’ve used RMStore; there’s also VerifyStoreReceiptiOS. The main disadvantage of these is that, as standard, open code it makes it easier for crackers to reverse engineer how you remember that a purchase has been made.

And there you have it. It is possible. It’s just a lot harder than you might imagine. Remember this when someone tells you that it can’t be done.

My delicious.com bookmarks for December 9th through December 13th

My delicious.com bookmarks for December 6th through December 7th

  • This case must not obscure what WikiLeaks has told us – Another good piece about WikiLeaks. The news about Assange is starting to obscure the real news.
  • Live with the WikiLeakable world or shut down the net. It’s your choice. – "What WikiLeaks is really exposing is the extent to which the western democratic system has been hollowed out. In the last decade its political elites have been shown to be incompetent; corrupt; or recklessly militaristic. And yet nowhere have they been called to account in any effective way. Instead they have obfuscated, lied or blustered their way through. And when, finally, the veil of secrecy is lifted, their reflex reaction is to kill the messenger."

My delicious.com bookmarks for November 18th through November 19th

  • The religious excuse for barbarity – "No, we don’t respect your desire to needlessly torment animals because some hallucinating desert nomads did it centuries ago. We don’t respect it at all. You can cry that we are “persecuting” you if we stop you committing acts of cruelty if you want."
  • Penn & Teller – Penn (of Penn and Teller fame) protests the new TSA rules.

My delicious.com bookmarks for September 8th through September 10th

My delicious.com bookmarks for January 27th through January 31st

  • Who Can Do Something About Those Blue Boxes? – "Used to be you could argue that Flash, whatever its merits, delivered content to the entire audience you cared about. That’s no longer true, and Adobe’s Flash penetration is shrinking with each iPhone OS device Apple sells."
  • Penguins, Peaks and Penny-Farthings: Nat Geo Covers 1959-2000 – "The National Geographic Society celebrates its 122nd anniversary on Jan. 27 … Though the early issues had rather drab academic looking covers, by 1959 they were consistently adorned with eye-cathing art and photos."
  • Verified by Visa bitchslapped by Cambridge researchers – "Secondary credit card security systems for online transactions such as Verified by Visa are all about shifting blame rather then curtailing fraud, Cambridge University security researchers argue." Or put another way: those annoying screens you get when you buy something online are not for your benefit.