K
K
kolayuk2014-02-07 02:29:23
Java
kolayuk, 2014-02-07 02:29:23

How to implement in-app purchase protection for Android?

Hello, I am writing a game for Android now, I think to monetize it with the help of in app purchases, I use In App Billing v3, more precisely, I finished the standard example with IabHelper a little. Found that it is hacked once or twice with the help of Freedom. Does anyone know how to avoid this or how this devilry even works? I'm generating a custom payload based on the time of purchase and the user's google account, but that doesn't help. The docks advise checking the signature of the result on the server, but as I understand it, Freedom simply replaces the card and the purchase proceeds as usual (see screenshot yfrog.com/oezpecp) - in theory, the signature should be normal, is there any point in bothering with the server? And how to check, sign the received json with the application key and the signature should turn out (I had no business with encryption and certificates before)? Does anyone know how to make the application not break freedom? A friend who fumbles in all these crackers says that not all applications are displayed there, and some still do not break, a window pops up that is not supported ...

Answer the question

In order to leave comments, you need to log in

3 answer(s)
S
Sergey Lerg, 2014-02-07
@Lerg

Who wants to bypass shopping and so will not spend anything.
I advise you not to bother with this.
If you still want to protect yourself, then you need to keep your server and ask him if a purchase was really made (by receipt). But keep in mind that if something goes wrong with it, conscientious users will rake in problems, and the application will receive angry reviews.

O
OnYourLips, 2014-02-07
@OnYourLips

Better spend the time you want to spend defending the client's change to your program, refining the program.
Redesign the program so that 100,500 game currency "purchased" by the user for free does not introduce imbalance into the game.

S
sindo, 2014-10-04
@sindo

If you want to implement purchase protection (from Freedom, etc.), then just follow the instructions. Check your signature! I think it's stupid to make a separate server for signature verification, it's enough to check in apk. If someone changes the apk, then everyone can change, here you can only apply code obfuscation to make it more difficult.
The whole scheme of making purchases is quite safe, and the fact that Freedom works, I think it's just the developers' laziness to check. Freedom cannot forge a signature. The signature is generated by your application's private key, which is stored on the Google server. In apk you can store the public key and use it to verify the signature. Also, you should use a random string in each new request, then the response will have a new signature, this will protect you from slipping an old response on you.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question