I'm new to android development but created an app and I implemented in-app purchase to remove ads from the app. I just did a very basic implementation and I basically check if the user has purchased the "no_ads" item and if it's true, then no ads are shown. The problem is that I see a lot of "purchases" bein logged on firebase and nothing on play console, which means of course that my users are using those hacking apps. So my question is, how to protect/verify those purchases agains a server so these haking apps are useless? I already have a server that my app uses, so there's no problem about implementing any server side code for me. It would be great if someone could point me to a tutorial. Thanks
When an app works with sensitive data there is always a security risk in storing the data on the device. If the device is lost or stolen the sensitive data is lost or worse, no longer confidential. A server-side app can prevent this.
Google Play's billing system is a service that enables you to sell digital products and content in your Android app. You can use Google Play's billing system to sell a one-time product or subscriptions on a recurring basis.
My small contribution to reduce fraud in in-app purchases
Signature verification on an external server, on your Android code :
verifySignatureOnServer()
private boolean verifySignatureOnServer(String data, String signature) {
String retFromServer = "";
URL url;
HttpsURLConnection urlConnection = null;
try {
String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8");
url = new URL(urlStr);
urlConnection = (HttpsURLConnection) url.openConnection();
InputStream in = urlConnection.getInputStream();
InputStreamReader inRead = new InputStreamReader(in);
retFromServer = convertStreamToString(inRead);
} catch (IOException e) {
e.printStackTrace();
} finally {
if (urlConnection != null) {
urlConnection.disconnect();
}
}
return retFromServer.equals("good");
}
convertStreamToString()
private static String convertStreamToString(java.io.InputStreamReader is) {
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
return s.hasNext() ? s.next() : "";
}
verify.php on the root directory of web hosting
<?php
// get data param
$data = $_GET['data'];
// get signature param
$signature = $_GET['signature'];
// get key
$key_64 = ".... put here the base64 encoded pub key from google play console , all in one row !! ....";
$key = "-----BEGIN PUBLIC KEY-----\n".
chunk_split($key_64, 64,"\n").
'-----END PUBLIC KEY-----';
//using PHP to create an RSA key
$key = openssl_get_publickey($key);
// state whether signature is okay or not
$ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
echo "good";
} elseif ($ok == 0) {
echo "bad";
} else {
die ("fault, error checking signature");
}
// free the key from memory
openssl_free_key($key);
?>
NOTES:
You should encrypt the URL in your java code, if not the URL can be found easy with a simple text search in your decompressed app apk
Also better to change php file name, url arguments, good/bad reponses to something with no sense.
verifySignatureOnServer() should be run in a separated thread if not a network on main thread exception will be thrown. An alternative would be to use Volley.
IN-APP BILLING LIBRARY UPDATE
Using the library, the data to be verified is returned by Purchase.getOriginalJson()
and the signature by Purchase.getSignature()
Hope it will help ...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With