Skip to content

Apple In-App Purchase Secret

Service Name: Apple App Store Connect

Service Description: Apple's In-App Purchase secret is used to validate receipts for in-app purchases and subscriptions in iOS, macOS, watchOS, and tvOS applications. It allows developers to verify purchase authenticity server-side.

Service Address: https://appstoreconnect.apple.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants ability to verify in-app purchase receipts with Apple's verification servers. Can be used to validate receipts, check subscription status, and retrieve purchase information.

Secret Revokement URL: https://appstoreconnect.apple.com/access/api

Secret Example: ff9c8e11a9b94c56a4d16a8f88d34e44

Suspicious Activity Investigation Instructions:

  • Review server logs for unusual receipt validation requests.
  • Check for unexpected increases in receipt validation API calls.
  • Monitor for validation requests from unusual geographic locations.
  • Verify if there are validation attempts for receipts not associated with your app.
  • Look for patterns that might indicate brute force attempts.

Mitigation Instructions:

  • Generate a new shared secret in App Store Connect.
  • Update the secret in all your server environments.
  • Implement proper secret rotation procedures.
  • Store the secret securely using a secrets management solution.
  • Consider implementing additional verification steps in your receipt validation process.
  • Update your server-side code to use the new shared secret.
  • Monitor for any failed validation attempts after the update.