So recently I bought Ethernet Status and activated the full version for an added €2.29 ($1.99 I guess…) and activated the full features. I still have the confirmation e-mail.
Today I noticed the "Full version", apparently, was no longer active:
So I click the "Check Full Version Features", no big deal, and should be able to re-activate. Just click "Restore Purchase", right?
And then it hits me…
This is no native Apple UI, is it? How can I be sure it's not just the app trying to trick me into entering my AppStore password? Who's to say it won't send my entered credentials to the maker (or anyone, for that matter)?
I entered an incorrect(!) password while I let WireShark watch over my shoulder; hoping I could see something fishy. But I couldn't find anything proving either way; no direct link to Apple and no direct link elsewhere. A bunch of IP's, a lot of traffic (tried to close as much applications as I could) and most, if not all, of it encrypted with SSL. Nothing of interest to see actually and the amount of data is a bit too overwhelming for me to make sense of it.
Could anyone confirm or disprove my suspicions? Any advise (besides not entering my actual password in that UI)? I may have even entered my AppStore password when I initially installed and immediately upgraded; thank god I also use 2FA and I have changed my password moments ago just to err on the safe side. So now I'm left with an app that I suddenly don't trust (which may be unjust!) and not sure if I should go ahead…
Best Answer
Apparently, starting and logging into iTunes and going to the Account -> View my account -> All purchases , as ankii mentioned:
If you don't see your in-app purchases
See your purchase history on your computer
When you go back to Ethernet Status and then click "Restore Purchase" you're already logged in to iTunes and it doesn't prompt for credentials. Problem solved!
Also: Enable 2FA. That's not only a good idea for Apple/iCloud but it always is, everywhere. Whenever 2FA is supported, enable it!. It may be a pain in the behind at times, but the alternative, a hacked account, will be much, much worse.