Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
AlexKareev2014-10-04 11:25:27
Android
AlexKareev, 2014-10-04 11:25:27

In-App Purchase protection for Android is perfect, why does Freedom work?

Hello,
I want to add in-game purchases to the Android application. I read the documentation. I see that the scheme that Google uses is cryptographically secure. The response is signed with the application's private key on the Google server, which ensures that no one can alter or forge the server's response in the middle. Also in the request, we can pass a random string and check it in the response, this ensures that we are not given any past (other) valid server response.
Those. to follow the scheme, it is enough for us to generate a random string and check it in the response and check the response signature with our public key, and all this is enough to do in the apk itself.
But I see that the entire Internet is clogged with problems of hacking in-game purchases. People easily break them with Freedom or something like that, although this scheme, as far as I understand, has always been like that. Many try to protect themselves and create a special server to check purchases on it. Although if the developers are afraid that the apk will be hacked and bypass the signature verification in it or change the public key, then with the same success they can change all communication with the game server in it. In one case or another, some kind of obfuscation is needed here to make it just difficult.
Questions:
1) Actually, the question is, why does Freedom work, most developers simply forget about elementary signature verification?
2) Why do people build an additional server that only checks the validity of purchases?
3) Maybe I'm missing something and checking the signature in apk is not enough?
Update: Upon closer inspection, I saw that Google doesn't use the standard token + signature scheme for all requests after all. Freedom of course will not work if you check the signature, but due to the fact that Google tied developerPayload and the signature to a specific purchase, and not to a request, a lot of options open up for a man-in-the-middle attack for requests: getting a list of all purchases that is made at the start of the application and consumption purchases. Why Google made such a "wrong" scheme remains a mystery to me :(

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
G
GavriKos, 2014-10-04
@GavriKos

1) The old versions of the payment system are still working and they are more susceptible to hacking
2) According to the Google manual, it is not necessary to check the signature - that's why everyone does not check.
3) About the additional server is written in the Google manual.
The numbers in the answer are not linked to the numbers in the question.

Report
G
grcool, 2014-10-17
@grcool

We use both server validation and our own checks, but this still does not save us from hacking.
Do not think that we are saving a penny, just a network game and it is very important not to destroy the entire economy with cheaters.

Similar questions
B
Beetle2019-10-26 16:23:06
Is C++ an assembly language framework? Assembler is a framework for processor instructions? 2Reply
G
gorbin2014-08-12 14:07:06
Connecting social networks in Android? 1Reply
S
SimpleName2019-01-27 20:24:37
How can one implement passing the FirebaseDatabase.getInstance().getReference method from one fragment to another? 2Reply
V
Vyacheslav_Shilov2019-01-27 22:36:06
Is it possible to programmatically close another application without root rights? 0Reply
M
Madion2016-08-26 08:02:25
How to set android app to autostart in MIUI? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question