Google Play Order ID updated to new format

Asked 24/7, 2015 at 4:32 Answered 24/7, 2015 at 11:55

android in-app-purchase in-app-billing android-pay

All my recent Android app purchases show a new order ID format.

The OLD format:

[merchant ID].[actual order ID]

We could use this format to check if the prefix of the order ID matches with the merchant ID and prevent possible hacks by apps like Freedom.

The NEW format:

GPA. 1234-5678-9123-45678

All my recent orders start with "GPA." (yes the additional dot is also there)
There is a 17 digit number divided into 4 blocks
The first 3 blocks contain 4 digits each and the last having 5 digits

I want to know what does this number represent, the significance of the sub-blocks, is the merchant ID included anywhere?

Pretrice answered 24/7, 2015 at 4:32 Comment(3)

We have noticed the same thing. Appears to have started on 22.07.2015 – Messmate 24/7, 2015 at 12:41

Exactly same problem here. I know only that "6547967659017925362.8852561051676274" is the old Order ID format, but it is unclear can e.g. some old devices generate those old ids still. I couldn't find those Order IDs either from the Google Play Console under "Order management" – Ornate 7/9, 2021 at 11:9

I do have the same question as @Ram, but what they said below in the answer, the old google order id's format should be <20>.<17>. But we both have <19>.<16> digits. So I can not confirm whether it is true. (If you count it carefully "6547967659017925362.8852561051676274") – Embolic 1/11, 2021 at 9:26

Actually I asked google when they alerted about new order id format at May 2015, inside google developer console notification icon(where they usually alerts about new supported country etc). They said GPA is shorten from Google Play Apps. Based on the notification, this change should be done at June 2015, but they didn't do it, and I thought it was cancelled. I was wrong.

EDIT(2): I found 2 types order id now: GPA(it's just the letter GPA, not numbers).(17 digits actual order id) and (20 digits merchant id).(17 digits actual order id)

EDIT(3): Google just replied me, and GPA.1234-5678-9012-34567 is the final form of the order play. They told me to not using merchant id to check the purchase, and should use the purchase token instead. No technical support is available currently. I still haven't found the best way to solve this though. And to verify if the purchase is valid, they told me to not use the order Id, but the purchase token, using the google API for server side verification. It's more complex but seems can prevent Freedom hack: https://github.com/soomla/android-store/issues/47

*sorry for my bad English.

Eloiseelon answered 24/7, 2015 at 10:18 Comment(8)

How are you getting 20 digits there, I have only 16 on all my orders. – Pretrice 24/7, 2015 at 10:33

Huh? GPA is 20 digits at my place and my other dev friend. It's the actual order id which has 16 digits (with XXXX-XXXX-XXXX-XXXX format) – Eloiseelon 24/7, 2015 at 10:43

Just checked again and now it shows merchant id. XXXX-XXXX-XXXX-XXXXX... i think this system is not stable yet... and now jsondata also shows the last 17 digits order id – Eloiseelon 24/7, 2015 at 17:36

Any idea on what this data signify? – Pretrice 26/7, 2015 at 1:53

I just edited my post. I found that, in my case GPA = merchant ID. And I don't know why they renewed the actual order ID. Maybe you'll need to email their user support for that. – Eloiseelon 26/7, 2015 at 5:18

Sorry I didn't understand that GPA means the letter GPA. I just sent email to google to ask more information. – Eloiseelon 27/7, 2015 at 6:51

Does anyone know if they are still including "..0" "...1" on subscriptions to indicate subsequent payments? – Perspective 5/8, 2015 at 1:58

based on the notification, subscriptions will still have ..0 at the end of the order id, after the 17 digits actual order id – Eloiseelon 5/8, 2015 at 6:32

I don't know the reason of this change, and either how they informed us about this change. Checking the order id with our merchant id was a good way to avoid hacking.

Anyway, I been thinking fast to solve this situation and the only solution I see is to use the Google API to check that specific purchase.

https://developers.google.com/android-publisher/api-ref/purchases/products/get

Sending packageName, product id and the token, then checking if that purchase even exists or if the developerPayload is the same.

Please, correct me or give more ideas to fix this issue ASAP.

Cheers

Stickney answered 24/7, 2015 at 11:55 Comment(0)

Recommended topics

Hot tags