All geek questions in one place

Android - protection when purchasing server-side apps

I am new to Android development, but created an application, and I implemented an in-app purchase to remove ads from the application. I just made a very basic implementation, and I basically check if the user has purchased the "no_ads" element, and if this is true, ads will not show. The problem is that I see a lot of “purchases” recorded on firebase and nothing on the game console, which means, of course, that my users use these hacked applications. So my question is how to protect / check these purchases again on the server so that these fault applications are useless? I already have a server that uses my application, so there is no problem with implementing any server-side code for me. It would be great if someone could point me to a textbook. Thanks

+4
source share
3 answers

My little contribution to reducing app fraud

Verifying the signature on an external server on your Android code:

verifySignatureOnServer ()

  private boolean verifySignatureOnServer(String data, String signature) {
        String retFromServer = "";
        URL url;
        HttpsURLConnection urlConnection = null;
        try {
            String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8");

            url = new URL(urlStr);
            urlConnection = (HttpsURLConnection) url.openConnection();
            InputStream in = urlConnection.getInputStream();
            InputStreamReader inRead = new InputStreamReader(in);
            retFromServer = convertStreamToString(inRead);

        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (urlConnection != null) {
                urlConnection.disconnect();
            }
        }

        return retFromServer.equals("good");
    }

convertStreamToString ()

 private static String convertStreamToString(java.io.InputStreamReader is) {
        java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";
    }

verify.php in the web hosting root directory

<?php
// get data param
$data = $_GET['data'];

// get signature param
$signature = $_GET['signature'];

// get key
$key_64 = ".... put here the base64 encoded pub key from google play console , all in one row !! ....";



$key =  "-----BEGIN PUBLIC KEY-----\n".
        chunk_split($key_64, 64,"\n").
       '-----END PUBLIC KEY-----';   
//using PHP to create an RSA key
$key = openssl_get_publickey($key);


// state whether signature is okay or not
$ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    die ("fault, error checking signature");
}

// free the key from memory
openssl_free_key($key);

?>

NOTES:

  • You should encrypt the url in your java code if the url cannot be easily found with a simple text search in your unpacked apk application

  • It is also better to change the php file name, url arguments, good / bad answers to something without meaning.

  • verifySignatureOnServer () should be run in a separate thread if a network is not selected if the main thread is excluded.

Hope this helps ...

+2
source
  • , .
  • , , .
  • valid, , .
+1

++ url/webservive.

Inapp

inapp

QueryPurchases queryInventoryAsync() ,

call auth https://accounts.google.com/o/oauth2/token access_token

inapp

https://www.googleapis.com/androidpublisher/v2/applications/ ( Packagename ) "/ purchase / products /" ( Sku strong>) "/ tokens / ( PurchaseToken )? access_token =" ( access_token )

  • Now you can make a server call for your products.
+1
source

Source: https://habr.com/ru/post/1692557/

More articles:


All Articles