Confirmation of purchase when purchasing the application

Apple offers two validation documents for receipts with clearly conflicting statements.

In " Checking receipt receipts" :

Note. In iOS, the contents and format of the store receipt are private and subject to change. Your application should not attempt to analyze receipt data directly .

However, in “ Checking the receipt of purchases in the application on iOS ”, an example code is provided in which the procedure for receiving the store is verified and verified as part of the “mitigation strategy” for the security vulnerability:

// Check the validity of the receipt. If it checks out then also ensure the transaction is something // we haven't seen before and then decode and save the purchaseInfo from the receipt for later receipt validation. - (BOOL)isTransactionAndItsReceiptValid:(SKPaymentTransaction *)transaction { if (!(transaction && transaction.transactionReceipt && [transaction.transactionReceipt length] > 0)) { // Transaction is not valid. return NO; } // Pull the purchase-info out of the transaction receipt, decode it, and save it for later so // it can be cross checked with the verifyReceipt. NSDictionary *receiptDict = [self dictionaryFromPlistData:transaction.transactionReceipt]; NSString *transactionPurchaseInfo = [receiptDict objectForKey:@"purchase-info"]; NSString *decodedPurchaseInfo = [self decodeBase64:transactionPurchaseInfo length:nil]; NSDictionary *purchaseInfoDict = [self dictionaryFromPlistData:[decodedPurchaseInfo dataUsingEncoding:NSUTF8StringEncoding]]; NSString *transactionId = [purchaseInfoDict objectForKey:@"transaction-id"]; NSString *purchaseDateString = [purchaseInfoDict objectForKey:@"purchase-date"]; NSString *signature = [receiptDict objectForKey:@"signature"]; // Convert the string into a date NSDateFormatter *dateFormat = [[NSDateFormatter alloc] init]; [dateFormat setDateFormat:@"yyyy-MM-dd HH:mm:ss z"]; NSDate *purchaseDate = [dateFormat dateFromString:[purchaseDateString stringByReplacingOccurrencesOfString:@"Etc/" withString:@""]]; if (![self isTransactionIdUnique:transactionId]) { // We've seen this transaction before. // Had [transactionsReceiptStorageDictionary objectForKey:transactionId] // Got purchaseInfoDict return NO; } // Check the authenticity of the receipt response/signature etc. BOOL result = checkReceiptSecurity(transactionPurchaseInfo, signature, (__bridge CFDateRef)(purchaseDate)); if (!result) { return NO; } // Ensure the transaction itself is legit if (![self doTransactionDetailsMatchPurchaseInfo:transaction withPurchaseInfo:purchaseInfoDict]) { return NO; } // Make a note of the fact that we've seen the transaction id already [self saveTransactionId:transactionId]; // Save the transaction receipt purchaseInfo in the transactionsReceiptStorageDictionary. [transactionsReceiptStorageDictionary setObject:purchaseInfoDict forKey:transactionId]; return YES; } 

If I understand correctly, if I check the receipt, my application will stop working when Apple decides to change the format of the receipt.

And if I don’t check the receipt, I don’t follow Apple’s mitigation strategy and my application is vulnerable to attacks.

Damned if I do this, damned if I don't. Is something missing?