In app purchase validation
I am using the In App Purchase ANE with Android.
I would like to do a server side validation of the purchase.
In your security recommendation you wrote to make sure to check the returned data signature, the orderId, and the developerPayload String.
I understand that I can get the signature and developer payload from the Purchase object received in the PURCHASE_SUCCESS listener.
Where can I get the signed data for the verification with the signature?
As I understand I need it for the verification with the signature.
Also, Is the transactionId field in the Purchase object the orderId mentioned above?
-
Nicolas commented
Hello
I'm having real issues with server side verification. Using this old method, here's what I get :
1) I can't get the signature to be base64_decoded (I guess I need to)
2) decoded or not openssl_verify always return 0 (==not good)What I did :
$openSslFriendlyKey = "-----BEGIN PUBLIC KEY-----\n" . chunk_split($MY_APP_KEY, 64, "\n") . "-----END PUBLIC KEY-----";
$phpkey = openssl_get_publickey($openSslFriendlyKey);
if ($phpkey === false)
{
//didnt go there, although $phpkey is null if output
}
else
{
$signature = base64_decode($signature, true); //this ouput null
$sslret = openssl_verify ( $orig_msg, $signature, $phpkey); //this returns 0
}I also tried the new OAuth2 way, but ran into some other issues :
http://stackoverflow.com/questions/25793958/verifying-a-users-android-in-app-billing
But honestly the simple openssl_verify would suffice if I could get it to work.Regards,
Nicolas -
Also,
In case you're wondering, the transactionReceipt is the orderId on Android, but not required for validation.
Cheers,
Michael -
Hi,
The fields you'll be using on Android are:
signature - the signature of the purchase
originalMessage - the json data of the message"Google Play uses the private key that is associated with your application in the Developer Console to create this signature." So on your server you basically do the following:
openssl_verify ( originalMessage, signature, YOUR_GOOGLE_PUBLIC_KEY )
See this for more information and how to obtain the key
http://developer.android.com/google/play/billing/billing_integrate.html#billing-security
Cheers,
Michael