OpenSSL versions

The receipt validation code normally depends on OpenSSL 1.0 and higher. Plus, the code needs to be statically or dynamically linked. This guide describes how to prepare a Xcode project to use the OpenSSL static library.

OpenSSL Licensing

The use of OpenSSL when linking statically requires to include these sentences in your application (in the Credits.rtf file for example):

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

OpenSSL Binaries

One particular aspect of the OpenSSL project, is that the binaries are not distributed; only the sources are available.

So far, you have the following options:

If you don’t have the time or the resources to build OpenSSL by your own, here is the latest builds of the OpenSSL libraries. The distribution includes the header files and the libcrypto and libssl static libraries, build as universal binaries:

OpenSSL 1.0.1

OpenSSL 1.0.2

OpenSSL 1.1.0

Configuring Xcode

If you have downloaded a pre-built package, you need to configure your Xcode project in order to have access to the OpenSSL headers/libraries.

Installation

We assume that the pre-built package has been uncompressed in the /Users/Guest/Projects/openssl folder. The folder should contains an include folder and a lib folder.

Configuring OpenSSL

Configuration

In Xcode:

Configuring OpenSSL

Specific configuration for Swift

If you are using the Swift generated code, you also need to use a bridging header to import the OpenSSL types and functions. Once the bridging header is created, insert the following in it:

//
// Receigen imports
//
#import <CommonCrypto/CommonDigest.h>
#import <openssl/asn1.h>
#import <openssl/pem.h>
#import <openssl/pkcs7.h>
#import <openssl/sha.h>
#import <openssl/x509.h>

Why OpenSSL ?

From the beginning, Receigen has always used up-to-date code and functions and carefully avoided deprecated APIs, in order to stay fully functional across system upgrades. As the system-bundled OpenSSL shared library is deprecated (since OS X 10.7), Receigen was using the Security framework functions for the receipt parsing and for the cryptographic operations. Unfortunately, using the Security framework has lead to a serie of exploits by offering a way to attack validation code; long story short, the Security framework symbols are vulnerable to runtime injection/swap/swizzling. An attacker can make the application load a shared libraries that will replace some symbols and bypass the various validation checks. In order to prevent this kind of attacks, Receigen is now using a statically linked OpenSSL library for all its cryptographic operations.

Another major reason to switch to OpenSSL was that iOS does not offer enough API to parse and verify the receipt. OpenSSL is therefore the best candidate to provide a robust and cross-platform receipt validation code.