2

I am developing an in app billing application for Android

In this sample, the security module is hosted in the android device

I’m trying to implement the security module of In App Billing of this demo application Dungeons in a PHP remote server, following the billing best practices of google.

I encounter a some difficulties (I am not familiar with PHP), and I would like to know if :

  • Does anyone know if a PHP security module was already developed and open source?

  • Do I have to rewrite in my server all the JAVA code in PHP, or do I just need to rewrite the part verifying the signature, as this thread is doing?

I am not a pro in security ^^ and that’s why I have some difficulties in seeing what needs to be secured and how… (since in the JAVA code, it says that :

For a secure implementation, all of this code should be implemented on a server that communicates with the application on the device

)

I really thank you if anyone has some tips.

Jer

Community
  • 1
  • 1
darksider
  • 1,030
  • 2
  • 14
  • 20

1 Answers1

2

The idea is to send signed data and the signature from the app to your web server. Then your webserver can verify the signature and allow access to protected content and such.

You would only need to rewrite the part verifying the signature, though you might find my php library for license verification useful.

David Snabel-Caunt
  • 57,804
  • 13
  • 114
  • 132
  • Thank you for your answer. I will look at your library. Have a nice day. – darksider Jul 07 '11 at 15:43
  • Happy to help. If you have any problems you can file an issue on the project site and I'll take a look. – David Snabel-Caunt Jul 07 '11 at 15:47
  • Hello guys..I too need to implement veryfication on server side...do you had any luck??? And David I looked on your library, but i have some questions...How did you parse signed data??? I saw some fields that i didn get from market...if you can explaine it a little better.. Thanks in advance... – Jovan Oct 17 '11 at 09:04
  • The data is parsed in the same way as in Google's Java code. Fields are split on ':'. Do you have a specific question? Sorry if I have misunderstood. – David Snabel-Caunt Oct 17 '11 at 09:35
  • I put my question at the Issues on your http://code.google.com/p/android-market-license-verification/issues/list page of code...there is maybe better explained...There you have our example and can you tell me what is what field in your example... Thanks :) – Jovan Oct 17 '11 at 11:31
  • 1
    Ah, now I understand your issue! I haven't tested the library with in-app billing but it appears some changes are needed. You should be able to use the OpenSSL code to verify signed data, however. I'll update the library and fix your issue when I get a chance. – David Snabel-Caunt Oct 17 '11 at 11:37
  • Thanks man...it will be great because i dont have experence with php at all...thanks again... :))) – Jovan Oct 17 '11 at 12:19