Android - protecting in app purchases with server side verification

Asked 23/1, 2018 at 1:12 Answered 27/4 at 14:7

I'm new to android development but created an app and I implemented in-app purchase to remove ads from the app. I just did a very basic implementation and I basically check if the user has purchased the "no_ads" item and if it's true, then no ads are shown. The problem is that I see a lot of "purchases" bein logged on firebase and nothing on play console, which means of course that my users are using those hacking apps. So my question is, how to protect/verify those purchases agains a server so these haking apps are useless? I already have a server that my app uses, so there's no problem about implementing any server side code for me. It would be great if someone could point me to a tutorial. Thanks

Kirsch answered 23/1, 2018 at 1:12 Comment(5)

developer.android.com/training/safetynet/recaptcha.html – Matadi 23/1, 2018 at 1:41

Have you used firebase authentication in your firebase database rules? – Wording 25/1, 2018 at 7:14

Well, don't check Firebase, check Google Play - the source of truth for purchases. developer.android.com/google/play/billing/api.html "When your application starts or user logs in, it's good practice to check with Google Play to determine what items are owned by the user. To query the user's in-app purchases, send a getPurchases request. If the request is successful, Google Play returns a Bundle containing a list of product IDs of the purchased items, a list of the individual purchase details, and a list of the signatures for the purchases." – Irmine 28/1, 2018 at 10:27

hi @EugenPechanec, that's what I do currently, but it can be bypassed by those hacking tools like freedom etc, that's what I want to avoid – Kirsch 28/1, 2018 at 22:56

are you referring to storage security? – Playlet 31/1, 2018 at 18:44

My small contribution to reduce fraud in in-app purchases

Signature verification on an external server, on your Android code :

verifySignatureOnServer()

  private boolean verifySignatureOnServer(String data, String signature) {
        String retFromServer = "";
        URL url;
        HttpsURLConnection urlConnection = null;
        try {
            String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8");

            url = new URL(urlStr);
            urlConnection = (HttpsURLConnection) url.openConnection();
            InputStream in = urlConnection.getInputStream();
            InputStreamReader inRead = new InputStreamReader(in);
            retFromServer = convertStreamToString(inRead);

        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (urlConnection != null) {
                urlConnection.disconnect();
            }
        }

        return retFromServer.equals("good");
    }

convertStreamToString()

 private static String convertStreamToString(java.io.InputStreamReader is) {
        java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";
    }

verify.php on the root directory of web hosting

<?php
// get data param
$data = $_GET['data'];

// get signature param
$signature = $_GET['signature'];

// get key
$key_64 = ".... put here the base64 encoded pub key from google play console , all in one row !! ....";



$key =  "-----BEGIN PUBLIC KEY-----\n".
        chunk_split($key_64, 64,"\n").
       '-----END PUBLIC KEY-----';   
//using PHP to create an RSA key
$key = openssl_get_publickey($key);


// state whether signature is okay or not
$ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    die ("fault, error checking signature");
}

// free the key from memory
openssl_free_key($key);

?>

NOTES:

You should encrypt the URL in your java code, if not the URL can be found easy with a simple text search in your decompressed app apk
Also better to change php file name, url arguments, good/bad reponses to something with no sense.
verifySignatureOnServer() should be run in a separated thread if not a network on main thread exception will be thrown. An alternative would be to use Volley.

IN-APP BILLING LIBRARY UPDATE

Using the library, the data to be verified is returned by Purchase.getOriginalJson() and the signature by Purchase.getSignature()

Hope it will help ...

Aerostatics answered 30/1, 2018 at 22:58 Comment(3)

where do I get that data and signature from to use in verifySignatureOnServer? – Kirsch 31/1, 2018 at 2:11

From the Bundle returned by getPurchases . The same data and signature you said you already verify in a comment to your question – Aerostatics 31/1, 2018 at 7:41

Good solution but pay attention to well securizes PHP :-) code and well obfuscates client side code that call remote server – Dramamine 27/4 at 16:3

Add entry in database when user make in-app purchase.
When user open your app check whether purchase is valid or invalid.
If valid then proceed to next activity otherwise show error message.

Immesh answered 30/1, 2018 at 11:49 Comment(2)

This is not a secure approach & also doesn’t answer the question. – Bernardo 21/8, 2019 at 6:51

Agree with darshan comment – Dramamine 27/4 at 10:33

I think the best current way to do it with a middle level of security (It is no good dreaming) is to uses the Google App Licensing guideline but with adding server-side license verification option like It is described in this official document.

Dramamine answered 27/4 at 14:7 Comment(0)

Recommended topics

Hot tags