2

I am making an application that will include billing. I have purchasing working otherwise.

The app links to a PHP server. I want to save the in-app purchase information on my server and confirm using Google Play Market.

I have managed to save the in-app purchase information on my server, but I can't confirm with Google Play Market.

I have tried using this library, but all I see is:

"This library does not (yet) support verifying purchases made via Google Play's In-app Billing."

Is what I want to do possible? If so, how?

Here is my PHP:

$signedData = $request['signedData'];
$signature = $request['signature'];

$signedData = str_replace('\\', '', $signedData);
$signature = str_replace('\\', '', $signature);

define('PUBLIC_KEY', 'MY GOOGLE MARKET PUBLIC KEY');
define('PACKAGE_NAME', 'MY APP PACKAGE NAME');

$validator = new AndroidMarket_Licensing_ResponseValidator(PUBLIC_KEY, PACKAGE_NAME);
$valid = $validator->verify($signedData, $signature);

if($valid){
    $result['respon'] = 'sucessed';
} else {
    $result['respon'] = 'fail';
}

SendData($result);

$db -> close();
john_science
  • 6,325
  • 6
  • 43
  • 60
uprising
  • 21
  • 1
  • 2
  • Possible duplicate of http://stackoverflow.com/questions/5645418/android-in-app-purchase-server-signature-verification-using-php-openssl – Femi Apr 14 '12 at 08:28
  • This other question has the approach I ended up using. http://stackoverflow.com/questions/8763260/verify-sha1withrsa-signature-generated-in-java-android-with-phpseclib – Evan Siroky Oct 01 '12 at 22:32

1 Answers1

0

Yes it's totally possible. Also google advise you to do that in their security settings to do that in best practices. Following code block is one of code that i use in production thanks to https://gist.github.com/menny

Google Best Practices : https://developer.android.com/google/play/billing/billing_best_practices.html

Following code returns true or false. You can use packageName and orderId for its uniqueness so that nobody would not be able to do replay attack.

Answer of Question : 

function verify_market_in_app($signed_data, $signature, $public_key_base64) 
{
    $key =  "-----BEGIN PUBLIC KEY-----\n".
        chunk_split($public_key_base64, 64,"\n").
        '-----END PUBLIC KEY-----';   
    //using PHP to create an RSA key
    $key = openssl_get_publickey($key);
    //$signature should be in binary format, but it comes as BASE64. 
    //So, I'll convert it.
    $signature = base64_decode($signature);   
    //using PHP's native support to verify the signature
    $result = openssl_verify(
            $signed_data,
            $signature,
            $key,
            OPENSSL_ALGO_SHA1);
    if (0 === $result) 
    {
        return false;
    }
    else if (1 !== $result)
    {
        return false;
    }
    else 
    {
        return true;
    }
}
Sayonara
  • 337
  • 4
  • 8