Trusted Entitlements: Making MiTM piracy a thing of the past

Cracking in-app purchases (IAP) has evolved from requiring jailbroken devices to now being facilitated through machine-in-the-middle (MiTM) piracy, particularly since iOS 12.2 made it easier to install on-device proxies. This shift has led to significant vulnerabilities in apps that use backend-side receipt validation, including those powered by RevenueCat, as attackers intercept and alter API requests to gain unauthorized access to paid features. In response, RevenueCat has introduced Trusted Entitlements within their latest SDK versions, which use public key cryptography to secure apps by signing responses with a private key and verifying them with a public key. This solution aims to combat piracy without using SSL pinning, which can be problematic due to certificate management issues. Trusted Entitlements come with different verification modes—disabled, informational, and an upcoming enforced mode—allowing developers to choose how they handle verification failures, thus securing app revenues and ensuring a fair user experience.