Skip to main content

Receipt Validation

With your IAPs set up, you may want to add an extra layer of security to your app, which prevents hackers to just unlock items by using IAP crackers, sending fake purchases or simply overwrite its local database storage. Receipt validation could help at fighting IAP piracy. With Simple IAP System, you have several options on how to use receipt validation in your app.

Client-Side

This option utilizes the bundle and App Store developer key to verify that the receipt has been created by your app. Since that is done locally on the client's device, this is not in any way secure or not hackable, but better than nothing.

  1. Open the Project Settings and enable the In App Purchases Service.

Feature-Validation010

  1. Scroll down to locate the Receipt Obfuscator section. Enter your Google Play Key and press on the Obfuscate License Keys button. This key can be found in your Google Play Developer Console under Your App > Monetise > Monetisation setup > Google Play Billing > Base64-encoded RSA public key. For the Apple App Store, press the Obfuscate Apple License Key. After this step you will have created additional credential files within your project.

Feature-Validation020

note

You can now scroll back up and turn off the In App Purchases service again! This does not affect purchasing in any way, it just prevents sending analytics to Unity in case you do not intend to use that.

  1. On the supported target platforms (Android/iOS), add the RECEIPT_VALIDATION define to Project Settings > Player > Scripting Define Symbols to enable ReceiptValidatorClient code compilation

Feature-Validation030

  1. Add the ReceiptValidatorClient component to the IAPManager prefab in your Project panel

Feature-Validation040

Server-Side

Being the most secure validation method, I am offering a platform for receipt validation without requiring your own servers! It supports validation of all products types, detecting fake receipts, active or expired subscriptions and billing issues within the user's subscription cycle. Always let your users know when to take action in order to stay subscribed. Additional security measures are implemented to ensure a transaction is only redeemed once across your app, effectively preventing duplicate purchase attempts with the same receipt.

info

This is a separate service offering a FREE plan, please see the Receipt Validator website for details!

In order to use it, please see the Server-Side Receipt Validation guide for reference.

Service-Side

note

Optional without, but required when using PlayFab.

This option utilizes the PlayFab API + servers for receipt validation. Therefore, you need an active PlayFab developer account (free tier is sufficient) to use this option. Same as server-side, the verification part is not in the hands of your users. The receipt is sent to PlayFab servers on purchase, which validates the transaction with Apple, Google or Amazon respectively, but also checks that it is unique and has not been used before. Since a receipt can only be validated once, this option is not suited for validating active or expired subscriptions, due to the fact that they will be rejected as duplicate. Nevertheless, it is still more secure than client-side validation if you do not intend to implement subscriptions and are using PlayFab anyway.

In order to use it, please see the PlayFab integration guide, receipt validation section for reference.

Note that the validation logic for PlayFab has been optimized cost-wise: PlayFab calculates billing for additional API limits based on monthly active users (MAU) using your app. With the Validation Only implementation, PlayFab users will only be created at the time they actually make an in-app purchase (and nothing else), so your MAU count stays as low as possible.

Custom

If you would like to use your own, custom verification on your server, the IAPManager also offers two events that fire either on initialization or on a purchase event:

public static event Action receiptValidationInitializeEvent;
public static event Action<Product> receiptValidationPurchaseEvent;

The event on initialization is fired when the IAPManager is successfully initialized and received a list of already purchased products. You could use this event to re-validate subscription receipts, other locally stored receipts or request the current user inventory from a remote source. The purchase event delivers the App Store product definition including receipt on a new purchase.

Your script can either subscribe to one, or both events, depending on what you would like to validate. For code samples, please see existing implementations provided by this asset.