Changes to hosting non-consumable in-app purchases in April 2022

It's really quite amazing that Apple are removing this (for new content) with so little notice.

The email suggests using "on-demand resources", but as far as I can tell that is in now way tied to in-app purchases, so it does not provide any sort of security. (Is that correct?)

Basically we have one month to design, implement, test and deploy our alternative solutions.

I'm sure the pirates are rubbing their hands with glee, looking forward to all the insecure alternatives that we hurriedly cobble together.

I have received the same e-mail and I am worried about it. It means that Apple will no longer offer hosting for non-consumable IAP content. This is clear. So we have to find a solution, but we have only one month to find a solution. I cannot understand this decision and why only month to find a solution.

So, what is the solution?

• on demand resource:

The email suggests to use the "on-demand solution", but this is not a solution for the in-app purchase because it means that every time that we need to deliver a new in-app purchase then we have to upload a new bundle (Giga byte of data!!!) together with app binary and make a full app review (binary and assets).

• own server

The only real solution is move the "in-app-purchase" content into own server. So after purchasing from the App Store, the content will be downloaded from the server via http request (or via ftp request). Up to now, I cannot see any other solution. There are a lot of cloud services that offer a VPS solution for doing that.

Are there other solutions?

It means that Apple will no longer offer hosting for non-consumable IAP content.

I'm not sure if this is true.

There is content that is already included in the app bundle and can be marked for later download, possibly as part of a purchase process. On the other hand, there is content that can be submitted to the App Store in addition to the app and, of course, outside of the app bundle.

I am not familiar with the first method. I myself use the method of subsequently uploading individual packages as IAP hosted content via iTMSTransporter. After uploading the package, the content goes through an additional review and is then available as IAP in the app.

It seems to me that the changes only affect the first type of IAP content, i.e. content that is already included in the app bundle. This would not affect my app, fortunately, and also explains why the "hosted non-consumable IAP content" feature is not declared deprecated on the help pages of the StoreKit framework. Which would certainly be the case given the huge impact of such a change and the short time remaining.

But maybe someone can say for sure what changes Apple is really making now regarding hosting non-consumable IAP content.

martax, I think you're being very optimistic to think this doesn't affect you. You should perhaps use one of your DTS support cases to get confirmation. I'm pretty certain this refers to the SKDownload system.

acelani74, yes you will now need to host your content on your own server. In my experience there are some very easy ways to do this, e.g. AWS S3 - but they can be expensive. I spend a lot of time investigating cheaper alternatives, which all have disadvantages - they can be less reliable, or more difficult to use, or slower. It's a difficult balancing act. BUT what you also need to do is to secure your content. The SKDownload system has that huge advantage that Apple ensure that the downloads are only available when the corresponding IAP has been purchased. Replicating that security is the challenge here. You can send the app receipt to your server and have it verify that before serving the content, but (a) that requires much more complex server infrastructure than just an S3 bucket, and (b) by itself it doesn't guard against replay attacks, i.e. pirates share the receipt from one legitimate purchase with all the pirated copies. The App Attest system provides a way to guard against that, but its problem is that it is not available when your iOS app runs on an M1 Mac.

It's really funny that features, probably especially those that Apple doesn't particularly like and that developers have relied on, are summarily classified as problems that of course need to be fixed as soon as possible 🤣 :

https://developer.apple.com/documentation/Xcode-Release-Notes/xcode-13_3-release-notes

Updates in Xcode 13.3 Beta -> Build System -> Resolved Issues

Building and uploading nonconsumable in-app purchase content for Apple to host is no longer supported. Existing content that’s hosted by Apple isn’t affected. To enable smaller app bundles, faster downloads, and richer app content, use on-demand resources to host your content on the App Store separately from the app bundle. For details, see On-Demand Resources Essentials. (84121695)

Thanks Apple for caring!

I sent a message to Apple to say "it's not acceptable to remove this functionality with so little notice, please consider extending the deprecation period to e.g. five years". And I just got a reply. The support person questions whether the email that I received was actually sent by Apple. They claim that any changes would be posted at developer.apple.com/news or developer.apple.com/in-app-purchase , which this isn't. I must say it's a very elaborate hoax, if that's what it is. Or, Apple Developer Support is being even less useful than usual!

Wow, really amazing. A "senior advisor" at Apple Developer Program Support has now told me that the mail that I (and martax) received is not from Apple. They tell me I need to report it to reportphishing at apple.com! Here's the email. What do you think? Which is more likely, (a) Apple really are withdrawing a feature that I rely on in my app with only 1 month's notice, or (b) Apple can't distinguish between a hoax phishing email and something they sent themselves?

If there are any Apple people reading this, I would appreciate your thoughts on whether this is legitimate or not.

Here's the email:

Dear Philip,

Thank you for reaching out to us. My name is Corinna, and I am a senior Advisor with Apple Developer Program Support. Your request was given to me for further review, and it will be my pleasure to take ownership of your case.

I understand that you received an email that you believe was sent by Apple, stating that we would imply changes to hosting non-consumable in-app purchases.

When reviewing the email that you kindly forwarded, I found that the email address is not from Apple.

Please review the following article and report the email to reportphishing AT apple.com.

Recognize and avoid phishing messages, phony support calls, and other scams

[snip]

Wishing you a lovely afternoon.

Kind regards,

Corinna Apple Inc.

@endecotp Thank you for your research. Indeed, things are getting more mysterious .... 🤣.

So the email is not supposed to be from Apple at all? Unbelievable!

And what about the essentially same content reference to fixing "Issue" 84121695?

See: https://developer.apple.com/documentation/Xcode-Release-Notes/xcode-13_3-release-notes

Is that one not from Apple either?

I'll wait and see, the fact is that since Xcode 13.x there seems to be no way to send IAP content to the App Store. Since I don't use this anyway, this would not be a disadvantage from my point of view. But if hosted IAP content is indeed completely eliminated, that's a significant change that certainly can't be announced and implemented within a month.

I've not yet had a reply (other than the autoreply) from the reportphishing email, does anyone know if that address does anything?

My feeling is that "Corinna" and her colleagues are AI chatbots. No human could look at that email and think it's a hoax. It even has a valid Apple DKIM signature. Maybe if I now click "Very dissatisfied" in the "We'd love to hear how it went" Apple Support survey email, that will feed back into the AI and the next "Corine" will be better than this one.

martax, I also use iTMS Transporter to upload. For some time my feeling has been that that tool is deprecated for app-related uploads, and its main users are music, video and ebook publishers. Although the XML app metadata format is still documented, it's difficult to find links to it from any of the App Store documentation. The best documentation remains a presentation at WWDC 2013. If you ask Apple about it, they get confused with the newer Transporter app and the App Store JSON API.

I contacted Apple Developer Relations and received a reply that Apple had actually sent the email to the relevant developers.

Thanks for your post monokakido. Did they say anything interesting, except confirming that they had sent the message?

I see that Apple's only contribution to this thread has been to delete the posts that they don't like!

I've finally had a confirmation from Apple that the email is genuine. No prospect of my feedback even reaching the person who decided to do this, I guess, let alone resulting in a reconsideration or delay.

I've been an iOS developer since 2008 and I have been through this before. The lesson is "don't rely on Apple technologies, they can withdraw them at any time". Do everything yourself using components that you control. It's worth it in the long term.

Hi,

We recently sent an email to developers who have uploaded non-consumable in-app purchase assets for Apple to host. Developers who haven’t uploaded non-consumable in-app purchase content for Apple to host aren't impacted and can disregard this post.

As noted in the email, in Xcode 13.3 we’ve removed the option to upload non-consumable in-app purchase assets for Apple to host. In addition, support for managing these assets in App Store Connect will be removed starting in April 2022.

Here are a few reminders that may be helpful regarding Apple-hosted non-consumable content (“content”):

• Existing content isn’t affected, as also mentioned in the Xcode 13.3 Beta 3 Release Notes.
• Users can continue to purchase and access existing content in your app.
• Your apps can continue using the SKDownload APIs to download existing content.
• You can continue to update details, such as pricing and availability, for products that are already created in App Store Connect.
• Until April 2022, you can upload new content and update existing content for Apple to host. Use Xcode 13.2.1 or earlier to upload content, as Xcode 13.3 doesn’t support building and uploading Apple-hosted non-consumable products.
• Starting in April 2022, any products that are not already enabled for Content Hosting in App Store Connect will no longer be eligible for hosting.

Consider using an alternative, such as on-demand resources (ODR), to host in-app purchase assets and content on the App Store separately from the app bundle.

• For production apps, ODR content will continue to be hosted on Apple servers and have a similar level of security as other Apple-hosted content.
• For sandbox development and testing, you need to set up a local server from which on demand resources will be downloaded.
• ODR content must be updated and submitted with the app, not separately. App updates require App Review, so take this into consideration in your development cycle.

If you need technical advice implementing ODR, you can submit a Technical Support Incident.

Thanks,

—jasonag.

Hi,

We recently sent an email to developers who have uploaded non-consumable in-app purchase assets for Apple to host. Developers who haven’t uploaded non-consumable in-app purchase content for Apple to host aren't impacted and can disregard this post.

As noted in the email, in Xcode 13.3 we’ve removed the option to upload non-consumable in-app purchase assets for Apple to host. In addition, support for managing these assets in App Store Connect will be removed starting in April 2022.

Here are a few reminders that may be helpful regarding Apple-hosted non-consumable content (“content”):

• Existing content isn’t affected, as also mentioned in the Xcode 13.3 Beta 3 Release Notes.
• Users can continue to purchase and access existing content in your app.
• Your apps can continue using the SKDownload APIs to download existing content.
• You can continue to update details, such as pricing and availability, for products that are already created in App Store Connect.
• Until April 2022, you can upload new content and update existing content for Apple to host. Use Xcode 13.2.1 or earlier to upload content, as Xcode 13.3 doesn’t support building and uploading Apple-hosted non-consumable products.
• Starting in April 2022, any products that are not already enabled for Content Hosting in App Store Connect will no longer be eligible for hosting.

Consider using an alternative, such as on-demand resources (ODR), to host in-app purchase assets and content on the App Store separately from the app bundle.

• For production apps, ODR content will continue to be hosted on Apple servers and have a similar level of security as other Apple-hosted content.
• For sandbox development and testing, you need to set up a local server from which on demand resources will be downloaded.
• ODR content must be updated and submitted with the app, not separately. App updates require App Review, so take this into consideration in your development cycle.

If you need technical advice implementing ODR, you can submit a Technical Support Incident.

Thanks,

—jasonag.

Dear Jason,

Thank you for confirming that the email was genuine.

Can you explain why such a short notice period has been chosen for the removal of this feature? Of course features are sometimes removed, but I can really never think of a case where there has been so little notice - just five weeks, or only three weeks if you start counting at then point when Apple stopped telling me that the email was a hoax. I had to double-check what year it is when I read "April 2022".

ODR content will ... have a similar level of security as other Apple-hosted content.

But not the same level of security as SKDownloads, which are restricted to users who have purchased the corresponding IAP. Here is a quote from the StoreKit documentation:

Most apps should use Apple-hosted content for downloaded files. You create an Apple-hosted content bundle using the In-App Purchase Content target in Xcode and submit it to App Store Connect.

(snip)

Note Alternatively, you can use On-Demand Resources (ODR) for more flexibility in downloading data in your app. ODR is an Apple-hosted service you can use to store in-app purchase data for the user to download content once you've verified the user's purchase using the app receipt. The advantage of this alternative over SKDownload is that ODR doesn't require you to call to restore transactions and authenticate the user to download content hosted on Apple's server.

My emphasis. You claim it is an advantage that ODR does not require authentication. What The?????

If you need technical advice implementing ODR, you can submit a Technical Support Incident.

Developer Technical Support does not assist with the implementation of anti-piracy / digital rights management features. (Unless that has changed. Please let us know if that policy has changed recently.)

Dear Jason,

I just have to chime in to voice our displeasure at the insanely short notice of this change. One month's notice for a change of this magnitude is very short considering that you're asking us to implement an entirely separate and secure hosting setup, test it and ensure it is ready for full scale production in four weeks, despite an already packed development schedule (for many of us I'm sure). ODR is too limited an alternative for many people to plug into and as others have pointed out does not have the security of SKDownload.

I submit that 6 months is a more reasonable timeframe for such a grand change and ask you to pass it up the chain. Thank you.

I was actually working on some new IAPs for one of my apps which is totally based around downloadable sample-based instruments. I basically had to can about two months worth of work.

It was also a nightmare (for me, at least) getting the whole SK download stuff working properly. At one point, it was all working great, then there was an iOS update, and everything was broken again.

Maybe little wonder Apple decided to "deprecate" this...

So can anyone tell me the recommended way to deal with this; I have an app since 2016 which uses non consumable content. I just tried to upload a new non consumable as a pkg to apple but noticed there was no facility to add to the IAP within 'connect'. What is the best way forward with this?

can anyone tell me the recommended way to deal with this

That will depend on what server-side technologies you are familiar with or are already using, and how much security you need.

I use AWS, and I have a Lambda function that implements AppAttest to authorise a download from CloudFront / S3. The main disadvantage of this is the bandwidth cost. If I were starting from scratch I'd look at Cloudflare R2.