Download

Client only In-App Purchase Verification - /w X.509 signatures

Hello, I am currently porting my ASP.NET C# web infrastructure for my game over to amazon Lambda to reduce overhead - it does various things including validating my in app purchases

I’ve been looking into how I would port this over to nodeJS but I stumbled across this and I was wondering if anyone has gotten this to work in C++ yet.

Part of me thinks I should just do client side verification - people are going to hack my game regardless so I might as well save the server costs validating all of these fakes.

Use Google Play's billing system with AIDL  |  Android Developers Securing your application [HR][/HR]
To help ensure the integrity of the transaction information that is sent to your application, Google Play signs the JSON string that contains the response data for a purchase order. Google Play uses the private key that is associated with your application in the Play Console to create this signature. The Play Console generates an RSA key pair for each application.

Note: To find the public key portion of this key pair, open your application’s details in the Play Console, click Services & APIs, and review the field titled Your License Key for This Application.

The Base64-encoded RSA public key that is generated by Google Play is in binary encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public key that is used with Google Play licensing.

When your application receives this signed response, you can use the public key portion of your RSA key pair to verify the signature. By performing signature verification, you can detect any responses that have been tampered with or that have been spoofed. You can perform this signature verification step in your application; however, if your application connects to a secure remote server, Google recommends that you perform the signature verification on that server.

Wow I feel dumb

It already does this validation - I wasn’t checking the completion status and only doing server side validation

https://github.com/EpicGames/UnrealEngine/blob/e528f9f7fa161504dd629c3b390deac93650e43a/Engine/Build/Android/Java/src/com/android/vending/billing/util/IabHelper.java


purchase = new Purchase(mPurchasingItemType, purchaseData, dataSignature);
String sku = purchase.getSku();

// Verify signature
if (!Security.verifyPurchase(mSignatureBase64, purchaseData, dataSignature)) {
    logError("Purchase signature verification FAILED for sku " + sku);
    result = new IabResult(IABHELPER_VERIFICATION_FAILED, "Signature verification failed for sku " + sku);
    if (mPurchaseListener != null) mPurchaseListener.onIabPurchaseFinished(result, purchase);
    return true;
}