1

One of my Android apps has an in-app item that is essentially a token which people can buy and use at a later time.

I see that some people buy it and then refund it later. While implementing purchases I used the standard guide from Java section of the docs that Google provides on the topic, plus I do verify the purchases on my backend server.

All that said, I'm still not sure that it can't potentially lead to some kind of fraud. Generally speaking, is it possible for the user to buy this "token" use it and then refund it in a matter of few minutes? I didn't look into it yet, but it doesn't seem that Google would bother to send a refund callback to my backend..

Basically, how to handle these things correctly to prevent fraud?

Edit: to be more clear, I do the acknowledgePurchase() and I get valid sales that don't get refunded, not after a while, not ever. I just wonder how is it so happens that from time to time I see a purchase made, then after some time (which differs in length) it does become "refunded" (but not all of them, only some).

galloper
  • 813
  • 1
  • 9
  • 17

2 Answers2

0

Please make sure after purchasing you did BillingClient.acknowledgePurchase() in your app. You can find details about this Here

Naveen Rao
  • 712
  • 6
  • 10
0

If your code, when handling a purchase, does not call acknowledgePurchase() and neither call consumeAsync() then the purchase is refunded after a short time period

The only real way to verify the authenticity of a document is by verifying its signature, the same happens with in-app purchases.

A purchase token can be faked but a signature can not.

Look at this : https://stackoverflow.com/a/48531877/7690376

from56
  • 3,976
  • 2
  • 13
  • 23
  • Yes, I do the acknowledgePurchase part and I verify purchases on backend via the unique purchase token which the backend checks with Google (without involving client). I do get valid purchases, it's not a problem. My question is about those people, who make such valid purchase and then I see a "refunded" in orders management in console. This kinda puzzles me a bit.. – galloper Sep 26 '20 at 14:42
  • A unique token until hacking apps like freedom clone it. – from56 Sep 26 '20 at 16:45
  • And your app should take into account the possibility that the user requests a refund. The status of purchases should be checked periodically, even every time the app is started. – from56 Sep 26 '20 at 17:15
  • No, I mean the unique token that Google provides as "purchase token" and stores forever (so they say), I check against it the token, that I store using Firebase with my backend. I also check purchases every time the app is started, yes. Problem is that say your app is a game (mine isn't) and you sell in-game currency. Such items would be consumables purchasable multiple times. So say a user buys one, uses the currency and then in the same 5 minutes requests a refund, but the app/game has already flagged that "purchase token" as consumed and user can't get refund, right? – galloper Sep 28 '20 at 06:19
  • Do you call `acknowledgePurchase()` for consumable products? I don't understood yet if your app uses consumable products that they are consumed by calling `consumeAsync()`or not consumables that are acknowledge calling `acknowledgePurchase()` Hacking apps also generate valid tokens, the only reliable way to verify the authenticity of a purchase is to verify the signature. – from56 Sep 28 '20 at 19:09
  • Yes, sorry for not being clear, for consumables I use consumeAsync with listener. Basically, I just followed this: https://developer.android.com/google/play/billing/integrate As for the hackers, do you mean they can generate a valid token that will be accepted by Google? I mean, when the user consumes a product, I send this token to my backend and then backend asks Google servers about its 'consumptionState'. Is it not safe to assume that their answer is trustworthy? Then what is.. – galloper Sep 29 '20 at 05:52