One of the more tricky parts of adding in-app purchases to your Apple App is verifying receipts on a server.  Apple strongly recommends that you use a server to parse and validate receipts.  This can helps to reduce the risk of fraud.  But how do you handle things like the call to verifyReceipt or SKReceiptRefreshRequest?  We’ll break this all down by showing you how to create a basic server to do iOS receipt validation.

Apple’s StoreKit framework provides a mechanism for selling in-app purchases or subscriptions through the App Store.

An essential artifact, the App Store receipt, is used to verify purchases and understand purchase activity. In this multi-part series, we will go beyond Apple’s documentation to demystify the receipt by coding a simple Python receipt validation script then progressively building out a server-side receipt validation app using Python, Flask, and Docker. This will make it easy for you to modify and deploy to a cloud service like AWS, GCP, or Azure.

Before we jump into the Python, let’s quickly talk about how to access the receipt on the client-side.

Accessing the Receipt from your App

The primary way you will access an App Store receipt is from your app code.

From your Xcode project, you can use the Bundle.main.appStoreReceiptURL to access the Base 64 encoded receipt data.

Here’s an example:

The code above is not guaranteed to return a receipt. Whether a receipt is returned depends on the app build:

• Debug or Ad-Hoc builds - The receipt will only exist after a test in-app purchase takes place.
• App Store distribution - The receipt is created when you app is downloaded, even if it is free. Practically speaking, this means your code will always find a receipt if the user downloaded the app from the App Store.

Now that you know how to retrieve the encoded receipt, next we’ll talk about receipt validation.

Choosing a Receipt Validation Approach

Now that you know how to retrieve the encoded receipt, next you need to validate it.

It’s possible to validate a receipt from the client-side or the server-side. Server-side receipt validation is more complicated, but the benefits are numerous. Especially if you offer auto-renewing subscriptions, server-side validation is strongly encouraged. You and read more about choosing a receipt validation technique from Apple’s documentation.

An App Store receipt provides a record of the sale of an app or any purchase made from within the app, and you can authenticate purchased content by adding receipt validation code to your app or server. - Apple Developer Documentation

For this series, we’re going to employ server-side receipt validation. To do that, we're going to lean on Python, Flask, and Docker to consume an encoded receipt passed up from your app’s client code. Then, we’ll dig deeper into interpreting the decoded receipt, as well as what response to send back to your client.

If you’re ready to head straight into the details of a decoded receipt, jump to our definitive guide, an element-by-element breakdown of a decoded receipt.

First, let’s build a rudimentary script to to better understand the receipt verification workflow.

Building a Simple Command Line Receipt Validator with Python

Apple provides a verifyReceipt service to be used for server-side receipt validation. The basic request and response pattern for this service is pretty straightforward, which we can demonstrate with a simple Python CLI script that does the following:

1. Load a encoded receipt from a local file
2. Send a validation request to verifyReceipt
3. Print the receipt validation status

Let’s get started!

We will be using Python 3 with standard libraries, so the first thing we need to do is import the modules we will need.

Next, we need create a global variables for the verifyReceipt endpoint. There are actually endpoints: Sandbox (sandbox.itunes.apple.com) & Production (buy.itunes.apple.com). Our script will support receipts from both environments, so let’s set global variables defining each endpoint.

To determine which endpoint needs to be used, you need to know what kind of app build was used to make the purchase.

• Debug & Ad-Hoc builds - Generates Sandbox receipts
• TestFlight or App Store builds  - Generate Production receipts

Since this script will take in command-line arguments, let’s create a simple method to handle sending the verify receipt request to Apple. Our method will accept several arguments including whether or not we should use the Sandbox endpoint.

Best Practice: Apple recommends first sending a receipt to Production. If the receipt is for Sandbox, the response will contain a status field with the value 21007. This is your signal to try the Sandbox endpoint instead.

Next, we need to construct a valid requestBody which consists of a JSON data structure contains the Base 64 encoded receipt and a password field which is required for auto-renewable subscriptions. To locate your app’s hexadecimal shared secret via App Store Connect, check out this guide.

Now we are ready to send the HTTP POST request to Apple.

If the request was successful, you will receive a HTTP 200 OK response code. This means we can expect to receive a JSON responseBody.  The first thing we need to inspect from the responseBody is the status field. If status is 0, the receipt is valid and many other fields will be present in the responseBody as well.  We’ll dive deeper into the various elements of the receipt later in this series.

For now, we will use the status value to print a message explaining whether the receipt was validated or not.  Just in case we don’t receive that HTTP 200 OK we were expecting, we’ll also catch and print any unexpected HTTP response codes here as well. In production, you can expect to see non-200 responses from Apple so you will need to add logic to handle this and retry if need be.

Here are the most common status values you will encounter:

• 0 - The receipt is valid
• 21002 - The encoded receipt passed in to the requestBody’s receipt-data property is malformed
• 21004 - The shared secret provided in the requestBody’s password property does not match what on file with Apple
• 21007 - The receipt is from the Sandbox environment, but it was sent to the Production verifyReceipt endpoint
• 21008 - The receipt is from the Production environment, but it was sent to the Sandbox verifyReceipt endpoint

There are others which are much more rare that you can read about here.

Now we’re ready to prepare our command-line arguments. We expect a file containing an encoded receipt to be passed to this script. If we don’t at least see one command-line argument, let’s print a helpful message.

Let’s try to read in the encoded receipt data from the file path provided in that first argument.

We need to see if any optional command-line arguments were provided. This code supports a --secret argument to pass in the hexadecimal shared secret discussed previously. Additionally, --use_sandbox tells the script to use the Sandbox verifyReceipt endpoint. Otherwise, it will default to Production.

Finally, we construct our verify_receipt method call.

You now should have a good sense for what’s involved to send a receipt validation request to Apple and the basic response codes you can expect to encounter. Head on over to GitHub for the complete source code and examples for the Python CLI covered in this tutorial.

In the next part of this series, we dig deeper into the receipt responseBody.

Until next time, happy validating!

Join the Nami team at one of the premier indie iOS developer conferences. Learn about how the Nami platform can help you get the most out of Apple App Store subscriptions.

• Sun, Aug 16 - Weds Aug 19
• See the online schedule here: https://hopin.com/events/360-idev-2020-online
• Learn more at https://www.360idev.com
  

WWDC is one of our favorite times of the year.  We wish we could be with all of you in person, but we are also excited to participate with everyone virtually this year. Check out our full list of WWDC events below.

The Nami Vintage Industry Swag Photo Contest

Normally during WWDC, the Co-Founders of Nami ML, Dan and Joe, host a wild and crazy party (some of which from years past are still legendary like the one with the marching band at Mezzanine or the one atop Union Square at Harry Denton's Starlight Room in SF, or of course that first one where we ruined the Tempest), but this year it has to be something different…

So to celebrate our favorite tech conference of the year, we’ve decided to run a little contest!

Find your best vintage industry swag that’s lying around at home and share it with us on Twitter!  

Read More and Join the Contest

StoreKit Labs with Nami Engineers

Adding in-app purchases to your app for the very first time?

Have areas of improvement to your existing StoreKit integration you’ve been wanting to tackle?

We are here to help.  Nami’s platform is tightly integrated with StoreKit and our engineers are here to help you with your StoreKit questions.

Sign-up for a 1:1 session with one of our engineers on Zoom.  Feel free to bring your code.

We’ll be at the (virtual) Fairmont all week

Curious about Nami?  Need help with how to make in-app purchases and subscriptions work for your business?  

Drop by and ask us a question or hit us up for some conference swag.

Chat with Nami at hello@namiml.com.

‍

Updated June 21, 2020 11:30am PT to use #VintageSwagNamiML hashtag.

Normally during WWDC, the Co-Founders of Nami ML, Dan and Joe, host a wild and crazy party (some of which from years past are still legendary like the one with the marching band at Mezzanine or the one atop Union Square at Harry Denton's Starlight Room in SF, or of course that first one where we ruined the Tempest), but this year it has to be something different…

So to celebrate our favorite tech conference of the year, we’ve decided to run a little contest!

The contest is pretty simple and easy to participate in, but of course there are official rules from our lawyers.

For the official rules, see: https://www.namiml.com/legal/photo-contest-rules

So what is it and how do you win?

We want to see your best “Vintage Swag” from the computer industry. Really it could be almost anything tech related.

Got old computer gear? Conference or Promotional Swag (t-shirts, mugs, stickers, trinkets)? Heck even old floppy discs?

Then you’re in!

We’re doing Daily Prizes every day of the conference (6/22/2020 to 6/26/2020) and then a “Grand Prize” at the end.

Three of the daily prizes (M-W-F) we’ll choose based on the originality and quality of the photos you post.

Two of the daily prizes (Tu-Thu) are based on who gets the most reaction (retweets, likes, replies).

Whoever gets the most reaction during the week will win the Grand Prize!

All you have to do are 4 things:

1. Post a picture on Twitter of your classic gear/swag
2. Use the hashtag #VintageSwagNamiML
3. Follow our Twitter account @HelloNamiML
4. Include your favorite #hashtag being used for the conference this week.

Daily winners will receive a US$100.00 Apple Gift Card to use to buy your favorite indie apps (or music, or anything else they can be used for).

The Grand Prize winner will receive a pair of Apple AirPods Pro (worth US$249).

So, start digging through your garage goldmine (find that one piece you’ve been holding onto for years for just such an occasion), put on your favorite old conference t-shirt, or any other vintage swag or gear you want to show off.

Sadly, we’re only allowed to let legal residents of the United States participate (thanks a lot, lawyers), but even if you can’t enter you can still show off!

Impress your friends, gain internet fame, and win prizes!

Have a great week at WWDC!

Sincerely,

All Your Friends at Nami ML

This post is part of a series related to what every app developer should know. Part 1: What Every iOS Developer Should Know About Submitting Their App. Part 2: What Every iOS Developer Should Know About App Store Optimization.

There are billions of smartphone in use worldwide and that number isn’t going to stop any time soon. Year after year, this growth continues to generate a massive market for creating and purchasing apps. There are about 4 million apps ranking on Apple’s App Store and Google’s Play Store. This means you’re going to need to get strategic when thinking about marketing your app if you wish to see it generate engagement and downloads.

What is App Store Optimization (ASO)?

App Store Optimization is a set of improvements you make to your app download page to raise your ranking on the visibility ladder to secure more downloads. ASO for the most part, is focused on the world’s two major app store platforms: Apple App Store (iOS) and Google Play Store (Android). Wether you are new or experienced, you need to know that ASO is never a ‘one and done’ task. Continuous attention and consistent updates are critical to your app success. Let’s take a look at a few tips to get you started on your path to success.

Use Real Keywords

Research is critical and it’s good to see what keywords your competitors are using. Match your keywords with the needs of your customer to help them find your app easily and much faster. You’ll need to target the keywords your users use and not the ones you think they would.

For example, you may be building a law firm’s app where they would like keywords reflecting their main source of income – car accident victims. They may be insistent that you use Auto Accident Attorney as a keyword because it is the correct legal term used by attorneys in the United States. That’s simply not going to fly as most people are ranking high searches using the keywords: car crash lawyer. The lesson is to use simple natural language that customers use.

Title and Description Optimization

The most important metadata used to get the most downloads possible is in your title. Keep it under 25 characters. This way the whole title is visible on the app store when browsing. Once you’ve picked the right title, do a search for it. If you get identically-named results back, you’re not being creative enough.

When making your description, include as many relevant keywords as you can (don’t stuff words just to stuff) and keep it within 250 characters. Anything beyond that will be truncated with a “read more” link.

Screenshots and Icons

Your screenshots and icons must be compelling as they will give you a visual edge. Choose an icon for your app that is very easy to recognize and is memorable to the brand. Try to use different colors than your competition to avoid confusion. Use design to stand out from the crowd of related apps.

Keep in mind that the majority of people do look at screenshots before downloading or purchasing. Make sure you’re using colorful templates. The screenshots must look professional and pleasing aesthetically. For this space, text is not as critical as displaying the visual features that are a better value than the competitors app.

Include Video

Videos included in an apps page stand to get up to 23% more downloads than a competitor who does not use any. Upload a video showcasing the best features that show your app presenting the greatest value.

Research the Competition

Since this has been mentioned above, you should be catching on that this is vital to your app’s success. Studying your competition will ensure you become successful. Learn from their mistakes and look for opportunities to stand out in other ways.

Before you include your app into your preferred marketplace platform, you do need to nail down the right category for the app. When choosing the right category, think about things like; how many competitors do you have? How many apps are consistently updated? How popular (in downloads) does the category rank? Once you’ve chosen and uploaded, keep an eye on your category. You’ll want to monitor top performers and their keywords or metadata.

Bonus Tips

Build Backlinks: To get the best backlinks, make sure your app is linked on relevant websites. There are quite a few app directories that allow anyone to submit their app to as long as it meets relevancy requirements.

Drive Traffic Other Ways: You also have the option to use paid app advertising, with Google Universal App Campaigns (UAC) and Apple Search Ads (ASA) as the primary drivers.

Last Words

Implementing ASO best practices and subsequently driving up app downloads will not happen overnight. By spending a bit of time daily working on a ASO checklist, you will get results and make progress over time. Once you begin to see some traction, you can then take a shot at paid promotions to further take advantage of ASO.

ASO is fundamental to growing your app business. Focusing now on the benefits of making you app easier to stand out of a crowded app space will provide that extra boost in revenue down the road. Nami is there every step of the way by your side as you grow your audience and increase app revenue along the way.

Marketers are always on the lookout for new ways to make the customer experience (CX) one with the fewest barriers between the pitch and the purchase.

To maximize conversions on subscriptions and in-app purchases, apps must deliver quality and specifically targeted content as well as specifically targeted offers. To do that, marketers often need to make quick changes based on consumer demand using the most up-to-date information possible.

Subscriptions and in-app purchases using Nami’s CX-focused paywall design are a perfect example of where marketers can effect change and increase revenue directly, without the need for developers to make code the adjustments. Nami has introduced a no-code solution for paywalls and offer screens that can be iteratively changed by marketers, without needing to publish app updates. Using Nami’s full range of metrics available, digital marketing teams can review and analyze CX data, and immediately make changes on the fly in response to new data analysis.

In the early days of the internet, marketers needed to know HTML to be able to make changes to a company website. Eventually, Content Management Systems (CMSs) became available that allowed marketers to edit their websites without needing a developer. We currently live in a world where most apps subscription or in-app purchases offer screens require a developer to update. Nami has solved this problem.  

Digital marketing teams can now drive sales without releases. What does that mean? As marketers, you will be in control of UX customization, copy changes, and in-app behavioral adjustments. Even better, these changes you make can go live immediately. No more waiting for your changes to be approved, then released with a software update.

Nami’s industry-leading no-code paywall platform was specifically created with digital marketing teams in mind. It was built to enable digital marketers to continuously improve in-app offers iteratively and quickly. Speaking as a company of app developers, we know that the faster marketers can test conversion screens, the faster they can grow their revenue.