Isn't shared secret in a plist file ... uhm ... highly insecure?

[davidhodge]

In the following Apple WWDC 2016 Video, the presenter specifically states that remote receipt validation shouldn't be done on the client, which is exactly what this code base does with that shared secret! https://developer.apple.com/videos/play/wwdc2016/702/

So yes, it’s a bad idea and a part of a broader problem with this codebase. Remote receipt validation is meant to be something done on a server you control and used to allow your server to be a gatekeeper around content sent to your app. If an App doesn’t have a server that can act as content gatekeeper, local receipt validation should be used instead (see link at the end). Apps that call Apple’s servers for receipt validation are directly going against Apple’s guidelines, miss the point of that kind of validation, and are subject to increased security risks.

Further Evidence: Use of the shared secret is only discussed in Apple’s documentation of validating receipts remotely (this server call shouldn’t be done by the client). Here: https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html#//apple_ref/doc/uid/TP40010573-CH104-SW1

Note: there is a guide on how to validate receipts locally on the iOS device, but it’s important to understand that this doesn’t call to Apple’s servers and does not mention use of a shared secret. Docs here: https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW2