I'm new to android development but created an app and I implemented in-app purchase to remove ads from the app. I just did a very basic implementation and I basically check if the user has purchased the "no_ads" item and if it's true, then no ads are shown. The problem is that I see a lot of "purchases" bein logged on firebase and nothing on play console, which means of course that my users are using those hacking apps. So my question is, how to protect/verify those purchases agains a server so these haking apps are useless? I already have a server that my app uses, so there's no problem about implementing any server side code for me. It would be great if someone could point me to a tutorial. Thanks
3 Answers
Answers 1
My small contribution to reduce fraud in in-app purchases
Signature verification on an external server, on your Android code :
verifySignatureOnServer()
private boolean verifySignatureOnServer(String data, String signature) { String retFromServer = ""; URL url; HttpsURLConnection urlConnection = null; try { String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8"); url = new URL(urlStr); urlConnection = (HttpsURLConnection) url.openConnection(); InputStream in = urlConnection.getInputStream(); InputStreamReader inRead = new InputStreamReader(in); retFromServer = convertStreamToString(inRead); } catch (IOException e) { e.printStackTrace(); } finally { if (urlConnection != null) { urlConnection.disconnect(); } } return retFromServer.equals("good"); } convertStreamToString()
private static String convertStreamToString(java.io.InputStreamReader is) { java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; } verify.php on the root directory of web hosting
<?php // get data param $data = $_GET['data']; // get signature param $signature = $_GET['signature']; // get key $key_64 = ".... put here the base64 encoded pub key from google play console , all in one line !! ...."; $key = "-----BEGIN PUBLIC KEY-----\n". chunk_split($key_64, 64,"\n"). '-----END PUBLIC KEY-----'; //using PHP to create an RSA key $key = openssl_get_publickey($key); // state whether signature is okay or not $ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1); if ($ok == 1) { echo "good"; } elseif ($ok == 0) { echo "bad"; } else { die ("fault, error checking signature"); } // free the key from memory openssl_free_key($key); ?> NOTES:
You should encrypt the URL in your java code.
Also better to change php file name and url arguments names to something with no sense
Hope it will help ...
Answers 2
- Add entry in database when user make in-app purchase.
- When user open your app check whether purchase is valid or invalid.
- If valid then proceed to next activity otherwise show error message.
Answers 3
For Security you may add Native Code in C++ and do the url/webservive call from it.
For the Inapp verification
login time inapp verification of item purchase and in offline store using native
Call QueryPurchases queryInventoryAsync() method to get the Item purchase
call auth https://accounts.google.com/o/oauth2/token for access_token
call inapp verification
https://www.googleapis.com/androidpublisher/v2/applications/(Packagename)"/purchases/products/"(Sku)"/tokens/(PurchaseToken)?access_token="(access_token)
- Now you can do server call for your products
0 comments:
Post a Comment