3

I'm trying to implement in-app billing, where the only thing my app sells is a monthly subscription. I've gone pretty much copied the Dungeons example that Android provides and it works, but it seems overly complicated for the one thing I have to sell (and I know I shouldn't be copying it anyway).

The Dungeons example has a PurchaseDatabase class that keeps track of all of the user's purchases. Since there is only one purchase in my app, rather than having a database, it seems like it would make more sense to just have something like a SharedPreference/boolean "isPurchased" and update/check for that when I start up the app... Now I don't really know much about security, but that just seems to ring warning bells and would probably be very hackable.

So, how should I store/restore this one piece of data? What do I need to save and keep track of, anyway?

Edit: Found this In-app billing. How to store information that user has paid? . It would seem that I should use a SharedPreference, but this question still stands: do I just save a boolean "isPurchased" or should I keep track of orderId, developerPayload, etc?

Community
  • 1
  • 1
Kalina
  • 5,504
  • 16
  • 64
  • 101

1 Answers1

5

If you just save a flag in shared preferences, any user with a rooted device can flip the flag at will and be 'subscribed' without paying. So you should at least do some obfuscation. Here's a sample way to do it. Additionally, there is an API to check for subscription state, so you should check periodically to make sure the subscription is valid.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Thanks so much for that! I've been looking into the API all morning, but don't really understand how it should be used since Google doesn't provide any code samples... Could you give me an example of what the code should be like? – Kalina Sep 05 '12 at 14:41
  • 1
    Here: http://code.google.com/p/google-api-java-client/wiki/APIs#Google_Play_Android_Developer_API – Nikolay Elenkov Sep 05 '12 at 14:48
  • The API seems overly complicated... I have to register and download the API, set up OAuth, and download, set up, and work with a client library, or learn REST and do my own parsing... All that just to find out a single value? Is this the method you recommend? – Kalina Sep 06 '12 at 14:31
  • 1
    Not really that complicated: once you authenticate you issue a single GET and get a very simple JSON object. There is no other way to do online checking, so either use it or give up on online checking. – Nikolay Elenkov Sep 06 '12 at 14:33
  • how should we call the user purchases? – Namikaze Minato Jun 23 '20 at 00:28