Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In App billing not working after update - Google Store

I have implemented In-App billing in my app - and very recently google has updated it,previously i was testing the in-app billing with "android.test.purchased" and it was working fine (Buy full Version and Restore full version).

Now i took the changed classes from here https://code.google.com/p/marketbilling/source/detail?r=7bc191a004483a1034b758e1df0bda062088d840

After that i am not able to test the app it gives the following error in the Logcat "IabHelper: In-app billing error: Purchase signature verification FAILED for sku android.test.purchased ".

I have checked with my key, package name and also app version all is proper, has any one faced this issue?

Please help me with this.

like image 934
Goofy Avatar asked Oct 23 '13 06:10

Goofy


People also ask

Why are in-app purchases not working?

Restart the device Tap Power off or Restart (depending on your device this text may be different). If needed, hold down the power button again to turn the device back on. Wait for the device to start back up. Re-open the app or game and check if the in-app purchase has been delivered.

Why are my in-app purchases not working android?

Clear the Cache To clear the cache, open Settings > Apps > and select the app that you facing problems with or the Play Store. On the App info page, select the Storage and Cache option and tap on Clear Cache. This should remove app's locally stored data and hopefully solves the problem.


2 Answers

I was the one informing Google Security Team about these security bugs. Please be patient until I do public disclosure of these bugs, as I granted Google time to fix them. If no big sites write about this problem I will disclose with a working exploit on 6 November.

As you already looked at verifyPurchase(), the bug should be obvious. If given signature is an empty String the method still returns true (as it returns true on default).

like image 27
Dominik Schürmann Avatar answered Jan 04 '23 17:01

Dominik Schürmann


This is because of the verifyPurchase() method in the Security class that has been change in the new fixes. Let me show you what is the exact problem is:

Security class changes

OLD CODE

 public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature) {
          if (signedData == null) {
            Log.e(TAG, "data is null");
            return false;
        }

        boolean verified = false;
        if (!TextUtils.isEmpty(signature)) {
            PublicKey key = Security.generatePublicKey(base64PublicKey);
            verified = Security.verify(key, signedData, signature);
            if (!verified) {
                Log.w(TAG, "signature does not match data.");
                return false;
            }
        }
        return true;
    }

New Code

public static boolean verifyPurchase(String base64PublicKey,
            String signedData, String signature) {

    if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey)
                || TextUtils.isEmpty(signature)) {
        Log.e(TAG, "Purchase verification failed: missing data.");
            return false;
    }

    PublicKey key = Security.generatePublicKey(base64PublicKey);
    return Security.verify(key, signedData, signature);

}

According to what I have searched and tested from New code,

Why it happens because we will not get any signature while we are using dummy product like "android.test.purchased". So in the old code it is working good because we were return true even if signature is not given and for the New code we are returning false.

more information about the signature data null or blank from link1 and link2

So I suggest you just replace old code method verifyPurchase() instead of New Code method.

I think may be New Code will work fine for the real product but not in the dummy product. But yet I have not tested for the real product.

Let me search more about this, why they changed code and what is the purpose behind that.

EDIT:

BuildConfig.DEBUG will also give you the solution for the test purchases.

In the verifyPurchase I changed return false to:

 Log.e(TAG, "Purchase verification failed: missing data.");
        if (BuildConfig.DEBUG) {
                return true;
        }
        return false;

but you should be aware to use this only in test scenario's.

This will return true, if you have a debug build, and the signature data is missing. Since the BuildConfig.DEBUG will be false in a production build this should be OK. But better is to remove this code after everything is debugged.

I have edited some code in the verifyPurchase() method, check it below:

public static boolean verifyPurchase(String base64PublicKey,
        String signedData, String signature) {

    if (signedData == null) {
        Log.e(TAG, "data is null");
        return false;
    }

    if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey)
            || TextUtils.isEmpty(signature)) {
        Log.e(TAG, "Purchase verification failed: missing data.");
        if (BuildConfig.DEBUG) {
            Log.d("DeBUG", ">>>"+BuildConfig.DEBUG);
            return true;
        }
        return false;
    }

    PublicKey key = Security.generatePublicKey(base64PublicKey);
    return Security.verify(key, signedData, signature);
}

I got this from GvS's answer android in app billing purchase verification failed.

hope it is helpful for you.

like image 189
Maulik Avatar answered Jan 04 '23 16:01

Maulik