Hi Joshua,
Thanks for getting back to us.
Let me elaborate what we need for the in-app billing feature. After making a purchase, the Google Play server should respond with the following:
inapp_signed_data - a String representing the signed JSON string.
inapp_signature - a String representing the signature.
To verify the integrity of the response from Google, we need the entire JSON string without any manipulation. We need to send the entire string, along with the signature, to my own server, which will validate the data through our product ID and the public key obtained from our own Google market account portal.
The whole point to this is so that hackers can’t manipulate fake purchases, or fake item granting calls to our servers. Google, unfortunately, just took away their API which allows immediate query of past purchases (we can only query purchases made 5+ minutes ago), so the only way to verify purchases now is to check for integrity of the data saying “I paid $5 for item A”, and this data can only be signed and packaged by the Google play server.
Some reference information is below. Starting with the Google server response object
http://developer.android.com/google/play/billing/billing_testing.html#billing-testing-static
"There are four reserved product IDs for testing static In-app Billing responses:
android.test.purchased
When you make an In-app Billing request with this product ID, Google Play responds as though you successfully purchased an item. The response includes a JSON string, which contains fake purchase information (for example, a fake order ID). In some cases, the JSON string is signed and the response includes the signature so you can test your signature verification implementation using these responses."
One note on making sure that you get signature data from Google. You don’t do this you don’t get any signature, which won’t allow you to verify data
http://crazyviraj.blogspot.com/2011/06/some-notes-on-implementing-in-app.html
"If you want valid signatures for the JSON responses as suggested by the table here, the 'debuggable' attribute in the app manifest should be set to false, even if you're using a release-key-signed APK and static responses. I was a little annoyed by this un-documented restriction because it basically meant that I had to resort to using logging as the only real means of debugging my code. If there is indeed some way to debug this using a debugger (and yet receive valid signatures), it’s definitely not obvious to me. Again, not a terribly big deal once you realize that this attribute actually seems to affect signatures, but that isn't documented anywhere."
Lastly, on the server side, here’s code example of how we would verify the data passed down by Google.
http://code.google.com/p/android-market-license-verification/source/browse/trunk/samples/verify.php
We need to do all this work because the public key is posessed only at Google’s server and our own server. The client never keep a copy so no hackers can generate fake signatures. When item or progressed is granted not on the client but on the publisher’s servers, this is the only way to ensure security.
12 days after Google removed the API to verify purchase history, hackers immediately found ways to fake purchases on our site. We’re now in a cat and mouse chase to shut down these hackers until a permanent solution is in place. [import]uid: 159488 topic_id: 34153 reply_id: 139388[/import]
[import]uid: 32256 topic_id: 34153 reply_id: 139375[/import]