I made an app with IAP.
Now I am using my server to do the verifying of receipts.
Something I recently noticed is a surge in error messages when verifying the receipt.
The response from Apple server is:
"The receipt is valid, but purchased nothing"
I do understand what it means, but help me understand where the fault is? Is something wrong with my app? or are people trying to use some kind of software to cheat?
Can you explain how you are verifying the receipt. Your error message does not appear to be coming from Apple. It seems to be coming from some other software that is processing the receipt that was decided by the Apple servers. That said, it is straightforward to hack an app by simply sending a call into your updatedTransactions method. But if the app secures the current receipt and examines it the app will conclude that the receipt is valid but it contains no purchased IAPs.
edit. "decided" should be "decoded"
Hi there,
thanks for replying.
I am using node.js library (https://github.com/voltrue2/in-app-purchase/)
var errorMap = {
21000: 'The App Store could not read the JSON object you provided.',
21002: 'The data in the receipt-data property was malformed.',
21003: 'The receipt could not be authenticated.',
21004: 'The shared secret you provided does not match the shared secret on file for your account.',
21005: 'The receipt server is not currently available.',
21006: 'This receipt is valid but the subscription has expired. When this status code is returned to your server, the receipt data is also decoded and returned as part of the response.',
21007: 'This receipt is a sandbox receipt, but it was sent to the production service for verification.',
21008: 'This receipt is a production receipt, but it was sent to the sandbox service for verification.',
2: 'The receipt is valid, but purchased nothing.'
};
So to answer your question, the error code from apple is 2
<Apple> Empty purchased detected: in_app array is empty
: consider invalid and does not validate { status: 2,
environment: 'Production',
receipt:
{ receipt_type: 'Production',
adam_id: 1163617952,
app_item_id: 1163617952,
bundle_id: 'com.gressquel.OCR',
application_version: '4',
download_id: 84024863772013,
version_external_identifier: 819781997,
receipt_creation_date: '2016-11-19 05:36:19 Etc/GMT',
receipt_creation_date_ms: '1479533779000',
receipt_creation_date_pst: '2016-11-18 21:36:19 America/Los_Angeles',
request_date: '2016-11-29 10:25:56 Etc/GMT',
request_date_ms: '1480415156487',
request_date_pst: '2016-11-29 02:25:56 America/Los_Angeles',
original_purchase_date: '2016-11-14 12:31:58 Etc/GMT',
original_purchase_date_ms: '1479126718000',
original_purchase_date_pst: '2016-11-14 04:31:58 America/Los_Angeles',
original_application_version: '1',
in_app: [] },
service: 'apple',
message: 'The receipt is valid, but purchased nothing.' }
This is not an error message from Apple. This is a coded response from your canned software. Apple sent a receipt back to your canned software and your canned software examined the recipt and found no IAP purchase in the receipt. But the receipt itself was valid. All apps come with a receipt. And app that purchases an IAP gets a new receipt that indicates they made the pruchase.
In your case it appears that your app is being hacked and you are detecting the hack.