0

I'm referring to this question Who bought my app

only with a little twist: I don't want to know the email address of the user or phone number or anything alike. All I care about is some unique identification of the user who purchased it (="the active android/ios account" that was billed). Is that possible?

I want the user that bought the app on android to be able to access the app on ios. Also I want to prevent "frauds". Imagine somebody borrows my device with my android credentials and within the app logs into his account and presses "buy". That would enable the user to buy the app and it'd charge me. Also it would allow them to restore MY purchases. That's why I need to get the fingerprints of the user who bought it.

Novellizator
  • 13,633
  • 9
  • 43
  • 65
  • It took me a week to just understand the in-app purchase process. So take your time and do not jump to coding. – Kishan Vaishnav Dec 04 '18 at 04:57
  • You'll have to build all of that logic onto your own server. App Store and Play Store will only tell you about the device account that made the purchase. It may be worth checking out https://www.revenuecat.com/ if you don't want to build this yourself. – enc_life Dec 17 '18 at 03:56

1 Answers1

0

I am assuming you already have the account management facility in your app.

So answer to your second question would be to implement the register and login facility which would allow the users to log in with the fingerprint which is the separate problem.

So go ahead and solve this problem first.

The answer to your first question resides in the central server where you register and authenticate the users.

You will need to validate InApp purchase from your server.

The flow steps of how it should be done:

  1. User clicks on the buy button. (It does not matter whether the original user is doing this action or a fraud)
  2. Ask the user for authentication. In this case fingerprint. (The fraud would not be able to pass from this step.)
  3. The app initiates the purchase flow. The user completes the flow.
  4. The app receives the payment successful response from the google. (The app will not allow the access to the item to the user yet. The payment needs to be verified by our server. Google suggests we verify payment from the server and not the app. Refer to Security Best Practices.)
  5. The app sends purchase receipt received from the Google + Unique Id(UserId, Email, Phone no.) to the server.
  6. The server sends purchase receipt (purchaseToken) to Google for verification. The Google verifies it as a successful purchase.
  7. Now that our server knows that the purchase was successful it creates an entry in the database with purchase info (Purchase time, Start time, Expiry time etc.) and user info. (This is the answer to your first question)

The flow steps when the user logs in from the iOS or any other device.

  1. The user logs in to the device.
  2. The user tries to use the purchased product.
  3. The app sends the request to the server.
  4. The server checks whether the user has access to the resource.
  5. Returns the response.

Key point is to have a Server which authenticates the user and verifies the purchase.

Follow my THIS answer you will get clear Idea on how to implement this.

Kishan Vaishnav
  • 2,273
  • 1
  • 17
  • 45