Server-side verification of Android Market Licensing responses with PHP

Question

I'm building a server to test all my in-app purchases of Android market. But I don't think that I'm sending the information from the app correctly. My server is built in PHP.

My app access the url:

...&response={...json...}&signature={...signature...}

The signature is previously encoded with URLEncoder.encode(signature,"UTF-8")

My server:

$response = $_GET["response"];
$signature = htmlspecialchars(urldecode($_GET["signature"]));

And then I execute the verification process. I think the problem comes from the way that I'm passing the arguments from the app to server, because if I copy the response and signature manually and test them, the verification function says that they are valid.

URL:

...&response={"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16 Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.aceventura3","purchaseTime":1331037005000,"purchaseState":0,"developerPayload":"Ace Ventura 3"}]}&signature=EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi%2Bd1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8%2FN7p41euzb1n1%2FgZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs%2Bl0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS%2B4LG1YxmJIsxhJnOcmNI7n2VKUdtn%2B0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg%3D%3D

Vardump

Response

string '{"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16 Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx'... (length=617)

Signature

string 'EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi d1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8/N7p41euzb1n1/gZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs l0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS 4LG1YxmJIsxhJnOcmNI7n2VKUdtn 0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg==' (length=344)

Answer 1

When using URL Encode php will automatic decode data so if your re-decoding it it's going to break something, I have had this problem before

URL encoding is for the browser so stuff like & in a string sent though get does not act as new parameter in GET

so for you code htmlspecialchars(urldecode($_GET["signature"])); should be htmlspecialchars($_GET["signature"]);

I know this has been answered by comments but Added answer for Googlers