4

I am using consumable in app purchase in my app. I saw today some users doing fake purchases. My code:

OnIabPurchaseFinishedListener mPurchaseFinishedListener = new OnIabPurchaseFinishedListener() {

    @Override
    public void onIabPurchaseFinished(IabResult result, final Purchase purchase) {
        if (mHelper == null) return;
        if (result.isFailure()) {
            return;
        }
        if (purchase.getSku().equals("premium")) {
            purchase
            Ion.with(mainContext, "http://domain.com/mobileapp/buyPremium/")
                    .setBodyParameter("username", purchase.getDeveloperPayload())
                    .setBodyParameter("orderId", purchase.getOrderId())
                    .setBodyParameter("orderToken", purchase.getToken())
                    .setBodyParameter("orderTime", "" + purchase.getPurchaseTime())
                    .asJsonObject()
                    .setCallback(new FutureCallback<JsonObject>() {
                        @Override
                        public void onCompleted(Exception e, JsonObject result) {
                            if (e == null) {
                                if (result.get("status").getAsInt() == 1) {
                                    mHelper.consumeAsync(purchase, mConsumeFinishedListener);
                                    if (premiumFragmentObj != null) {
                                        premiumFragmentObj.purchased();
                                    }
                                }else{
                                }
                            }
                        }
                    });


        }

    }

};

As you can see, i am doing a http request after user completes the purchase and I am saving orderId,orderToken etc. to my database for logs.

Why i am sure for some users doing fake purchases?

I am comparing my logs with https://payments.google.com/merchant datas. And couldn't see some user's logs on merchant center.

For example my database logs (All of them fake):

enter image description here

How can I fix this security issue?

Tolgay Toklar
  • 4,151
  • 8
  • 43
  • 73

1 Answers1

-1

Visit How to verify purchase for android app in server side (google play in app billing v3)

When a user makes an in-app purchase, cache the details (token, order id, and product id) locally on the client (i.e the app) then send it to your API.

Your API should then send the purchaseToken to the Google Play Developer API for validation.

https://github.com/aporat/store-receipt-validator php sample

Ramazan Akbal
  • 34
  • 1
  • 4