How best to store Apple Root Certificates for receipt validation

Question

When validating a StoreKit receipts (I'm using ReceiptKit). You need the Apple Root Certificate.

Is it ok just to include this in the App bundle or should I be downloading a fresh copy every time?

They both seem to have their risks?

Answer 1

All reference I have found recommend downloading and storing the certificate in your bundle. I would not suggest downloading it on the fly.

The repository you refer to recommends it:

I scoured the Apple Docs, tutorials and many sample repositories while working out my own solution and never considered downloading it on device. It seems an obvious point of attack. The idea is that you can be positive that the certificate is valid at the point of shipping, if you download on the fly you cannot be 100% sure where it came from.

Answer 2

Apple Root Certificate is preinstalled on computer. However, in case user will install fake root certificate, fake receipts can be validated. However, from the other side, when root certificate will be changed or expired, you would not be able to validate receipts with your locally stored certificate, frustrating the users.