In-app purchase promo codes breaks remote server verification?

Question

Releasing promo codes for in-app purchases seems like it will prevent an app from (ever again) performing remote server purchase verification!

When a promo code is used for an in-app purchase (the PURCHASES_UPDATED broadcast), it will completely bypass the purchase flow so the app has no chance to supply an "developerPayload", used for remote verification.

Later when the app call getPurchases() to get/verify owner products, the purchase data for promo purchases won't contain a "developerPayload" of course, but neither an "orderId", also useful for remote verification using the Google Play Developer API.

How is an app supposed to verify in-app purchases made with promo codes?

Allowing users to redeem promo codes through the Google Play Store app/site, thus bypassing the purchase flow, seems like an major oversight which shouldn't be possible.

Issue reports:

• https://code.google.com/p/android/issues/detail?id=200722 (closed WrongForum)
• https://github.com/googlesamples/android-play-billing/issues/7

Similar posts:

• In-app purchases made via promo codes return empty developer payload string

Answer 1

This indeed a know security issue from Google side, so I am going to suggest a workaround.

Along with promo code provide the users with server id generated by your server, when getting a promo purchase validate the server id and accept the purchase just once.

When using from market send the id with referrer. When using from app have your own logic to provide the server id.

Bottom line there is no other solution but some how identify the users with some sort of id.