I'm currently designing an In-App-Purchase Manager for my apps that is supposed to implement the following features:
- Answer the simple query whether a productId has been purchased or not without a server based backend
- Basic anti-piracy protection
To implement the first feature I'd just serialize the transaction history as json and store it in a local file. To prevent Average-Joe with a jail-broken device to just copy the transaction history of another user to his own device, the history file would be encrypted using a key derived from identifierforvendor (remember, I said basic protection).
Everytime a completed transaction is reported through SKProductsRequestDelegate it will be added to the transaction history file.
In case the history file cannot be opened during startup because either it is missing or corrupt due to a encryption key mismatch, the file gets discarded and restoreCompletedTransactions is called, and transactions reported through SKPaymentTransactionObserver will be added to a freshly created history file.
Does that concept makes sense in the context outlined at the beginning or did I get it wrong?
Comments and suggestions on how to improve security and reliability without requiring a server backend would be welcome as well.