How to get Google USER ID (not the device ID) for sure?

Question

There are several methods to identify a device - IMEI/IMSI/ESN, GoogleID, your own encrypted GUID, saved in private store, etc. But as long as people switch their devices every 3-6 months it's important to identify not the device but exactly the user.

We know that Google uses unique id to identify a user (an email) to allow to purchase on Google Play and so on. Also we know that Google denied devs to access this ID, save it and use for spam for example. Actually, now we can get it using Account Manager, at least one of them. At least I don't know how distinguish which account is active and is used to purchase my app.

In Widows Phone I see a wise approach: system gives a developer some hash from user's account id/email. So you can do nothing with it except just identify your user. Exactly what I want to do! Even if somebody will stole this ID he can't use it as email or whatever.

So I search something alike. Still I didn't find unambiguous info about how securely identify a user. There are many posts, many opinions, but still no clear and understandable way.

In IAP security scheme so far I think of getting all the google accounts on device and remember double-md5 of them on my or Google server for particular purchase / order_no. Later, when any instance of my app will request this purchase, sending double-md5 of its owner google-id, server will compare if at least one of accounts it remember for this particular purchase/order_no is equal to that id, and then will reply appropriately.

But maybe there is more clear scheme?

Answer 1

The Android developers who implemented the in-app billing api should have added a simple function that returned a hash of the Google account email currently being used with in-app purchases. The hash makes it pretty much impossible to use it for anything other than determining unique purchasing identity. Also, an array of hashes of the current list of Google email accounts.

Yes, there is a way around it by getting a list of accounts using AccountManager, but this requires additional permissions and obtaining the user's email addresses, which, for the purposes of in-app purchasing seems like overkill and actually undesirable if all one wants to do is verify the user's unique purchasing identity.

The array of hashes of the current list of Google email accounts could be used to verify whether any of the current Google email accounts currently on the device was used in the original purchase of the in-app billing item.