24

I have a few questions connected to Android In-App Billing:

  1. Is it possible to make a purchase from non-Market app? I understand that it would be a vulnerability, but I have no opportunity to find out if it's possible or not.

  2. How can I get purchase state for a particular product? As far as I understand it can be done using RESTORE_TRANSACTIONS request, but it's not recommended to use very often. That's not a theoretical problem. My application allows users to buy content using in-app billing. Content can be downloaded from a server, and server must allow content downloading only if it was purchased. But it can't check if content was purchased or not without using signed response from Android Market.

  3. How can I get price and description of an item from Android Market? Seems that I know the answer and it's "there's no way it can be done", but maybe I'm wrong. It would be very useful to have a possibility of retrieving item's price.

It's very interesting to me how you solved/are going to solve these problems in your apps. Answer to any of these questions will be appreciated.

Michael
  • 53,859
  • 22
  • 133
  • 139

1 Answers1

21

In order:

1- Nope. The in-app billing process is part of Market. If the app comes from elsewhere, there's no way for Market to verify the origin/authenticity of the application.

2- It's your responsibility to store the purchase state for a particular product. From the doc:

You must set up a database or some other mechanism for storing users' purchase information.

RESTORE_TRANSACTIONS should be reserved for reinstalls or first-time installs on a device.

3- Unfortunately, at this time you're right. File a feature request!

In the meantime, one option is to set up a website with appengine, store listings of all your content & pricing there, and then manually sync prices listed on your appengine server with the updated prices in Market. Then have your Android app pull the data from the AppEngine server. This is much better than hardcoding price values into the app itself, since you don't need to have everyone update the app immediately to see accurate pricing whenever you change something. The only caveat of this method is that if the user is in a different country, in-app billing will display an approximated price in their native currency, and there's no way for you to determine exactly what price will be displayed to them.

Related, One of the Android Developer Advocates is giving a talk on LVL/IAP at IO, called "Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine." - It would definitely be worth your while to watch when they release the session videos on the website.

Alexander Lucas
  • 22,171
  • 3
  • 46
  • 43
  • Thanks for your answer! I have some additional question. 1) What if my app is decompiled, changed and compiled again? It will be a non-market app then. Will the in-app billing stop working? 2) It's impossible to have a secure purchase scheme when you store information about purchases in a database. So, I'm developing an app that receives license file from a server and check it locally. My server needs some signed data to generate a license. I can't just ask it for a license because it'll be a server's vulnerability. How should I implement this using current in-app billing implementation? – Michael Apr 13 '11 at 19:31
  • Market does a signature check based on the key you used to sign the app when you uploaded the app to market. Since the modified version wouldn't be signed with your key, market would reject it- However, there's nothing stopping a determined attacker from modifying the .apk file such that it skips the IAP process entirely and just assumes you've purchased everything... The link I provided has a link to a "security" section that covers protection against this sort of thing. To answer your second question, look into LVL (license verification library). That should cover your needs. – Alexander Lucas Apr 13 '11 at 19:53
  • I use in-app billing for purchasing content that is downloaded from a server. So even if .apk is modified, content cannot be downloaded without buying it. And even if it's copied, it cannot be used without license file. Certainly license verification can be modified too, but it's another problem. I'm not really sure that Android Market checks app's signature, but I'd prefer it does. What about docs, I read all the in-app billing documentation and all the source code of the sample. But things I ask about are not covered there. And LVL will not help me because it cannot be used to sell content. – Michael Apr 13 '11 at 20:42
  • Google IO , NOMZ I will be watching TY – Blundell Apr 19 '11 at 18:22
  • You're the only one who answered my question so the bounty is yours. – Michael Apr 26 '11 at 04:45