I'm using Google IAP v3 in Android app. I've implemented signature checking using GoogleIabHelper class. I'm also checking the signature on the server side with almost the same code.
In the server logs I've found a lot purchases are invalid. Here are example data for 2 valid purchases and one invalid:
Valid purchases
#1
orderId: 12399363269014736759.1358132323863451
purchaseTime: 1416079768157
purchaseToken: olcgkklnpigiceancikanedj.AO-J1O...
dataSignature matches: yes
response from androidpublisher API: purchaseTimeMillis = 1416079768157, purchaseState = 0
#2
orderId: 12399363269014736759.1311230454123912
purchaseTime: 1415844666976
purchaseToken: ajkaitpnfgotgkmhlboatkmc.AO-J1O...
dataSignature matches: yes
response from androidpublisher API: purchaseTimeMillis = 1415844666976, purchaseState = 0
Invalid purchase
orderId: 6246434551497330082
purchaseTime: 1415813103372
purchaseToken: xdavcuvdnniwwrhwemleqjdz.rSQozm...
dataSignature matches: no
response from androidpublisher API: "code": 400, "message": "Invalid Value"
As you can see data of the two valid purchases look similar. Both dataSignatures are correct and the androidpublisher API returns valid data for these purchases.
Now look at the invalid purchase:
orderIddoesn't match the pattern of valid purchasespurchaseTimeis in the past (Wed Nov 12 2014 18:25:03 GMT+0100 (CET)) even though the purchase had been made todaypurchaseTokenprefix is different after the.(dot)dataSignaturedoesn't matchandroidpublisherAPI returnsInvalid Value
Pretty sure it's invalid purchase huh? What about 2-4 purchases like this per day. I'm wondering do IAP frauds are real problem or there's problem with my code and IAP verification. Could someone share their experience with invalid purchases using Google IAP v3?
