Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Fraud Google Play Order ID received

I have implemented In App Billing for my Android app.

After a feature is purchased in my app, I have been collecting the Purchase bundle of that purchase order to my local server.

I don’t know what’s wrong or happened, but I observed a few purchase orders on my local server, which are not reflected on the merchant page.

When I check the purchase orders at my server, I found something strange like, the Order ID for that purchase is found as

Order ID  <19 Digit number>.<16 Digit Number>
  say <1234567891234567891>.<1234567891234567>

According to Google,

The order number itself is a string consisting of numbers only, with a format assigned and managed by Google.

For transactions dated 5 December 2012 or later, Google payments assigns a Merchant Order Number (rather than a Google Order Number) and reports the Merchant Order Number as the value of orderId. Here's an example:

"orderId" : "GPA.1234-5678-9012-34567"

For transactions dated previous to 5 December 2012, Google checkout assigned a Google Order Number and reported that number as the value of orderId. Here's an example of an orderId holding a Google Order Number:

"orderId" : "556515565155651"

The orders which are shown at the merchant page are in the following format:

"orderId" : "GPA.1234-5678-9012-34567"

Questions:

  1. Is the OrderId other than the format is considered as fraud?

  2. How to validate an actual purchase in case of fraud orders (i.e Order ID <19 Digit number>.<16 Digit Number>)?

like image 549
Pushpa Avatar asked Aug 01 '16 09:08

Pushpa


Video Answer


1 Answers

  1. Yes, non-valid orderIds have a deviant format. If it’s not fraud, it’s an improper order with no effective revenue.
  2. You validate¹ all purchases the same way; the result tells you if it’s admissible or not.

Please note: This answer is merely based on approx. four years of (subscription) data, because specific documentation is not known. Still, some patterns emerge:

  • A valid token is always 144 characters long, with a dot-separated, 119-character, Base64ish portion after the initial [a-z]{24} part, which defraud attempts solely consist of (e.g. eiorsfdmklehiojapofmknoe).
  • Proper orderIds always look like GPA\.[1-9][0-9]{3}(-[0-9]{4}){3}[0-9] (e.g. GPA.3479-1780-0192-98654).
  • Non-valid orderIds exhibit a format like [1-9][0-9]{18}\.[0-9]{16} (e.g. 2394627089137670234.7256937842057394).

By these and such rules, you can strictly check for the success case (which should be >90%), and otherwise do any combination of actions:

  • revoke granted features
  • inform your user/customer
  • alert your administrators/staff to check those cases individually
  • derive further rules from those instances

¹ To validate purchases, there’s get for products and get for subscriptions in the “Subscriptions and In-App Purchases API” part of the Google Play Developer API.

like image 98
dakab Avatar answered Oct 09 '22 04:10

dakab