Skip to content

Most visited

Recently visited

navigation

Security Best Practices

As you design your In-app Billing implementation, be sure to follow the security best practices that are discussed in this document. These guidelines are recommended for anyone who is using Google Play's In-app Billing service.

Validating purchase details

It's highly recommended to validate purchase details on a server that you trust. If you cannot use a server, however, it's still possible to validate these details within your app on a device.

Validate on a server

By implementing your signature verification logic on a server, you make it difficult for attackers to reverse-engineer your APK file. This preserves the integrity of the signatures that your logic checks.

To validate purchase details on a trusted server, complete the following steps:

  1. Ensure that the device-server handshake is secure.
  2. Check the returned data signature and the orderId, and verify that the orderId is a unique value that you have not previously processed.
  3. Verify that your app's key has signed the INAPP_PURCHASE_DATA that you process.
  4. Validate purchase responses using the ProductPurchase resource (for in-app products) or the SubscriptionPurchase resource (for subscriptions) from the Google Play Developer API. This step is particularly useful because attackers cannot create mock responses to your Play Store purchase requests.

Validate on a device

If you cannot run your own server, you can still validate purchase details within your Android app.

Warning: This form of verification isn't truly secure. Because your purchase verification logic is bundled within your app, this logic becomes compromised if your app is reverse-engineered.

You should obfuscate your Google Play public key and In-app Billing code so it's difficult for an attacker to reverse-engineer security protocols and other application components. At a minimum, we recommend that you run an obfuscation tool like Proguard on your code. To obfuscate your code using Proguard, you must add the following line to your Proguard configuration file:

-keep class com.android.vending.billing.**

After obfuscating your Google Play public key and In-app Billing code, you're ready to have your app validate purchase details. When your app verifies a signature, ensure that your app's key signed the JSON data contained in that signature.

Protecting your unlocked content

To prevent malicious users from redistributing your unlocked content, do not bundle it in your APK file. Instead, do one of the following:

When you deliver content from a remote server or a real-time service, you can store the unlocked content in device memory or store it on the device's SD card. If you store content on an SD card, be sure to encrypt the content and use a device-specific encryption key.

Taking action against trademark and copyright infringement

If you are using a remote server to deliver or manage content, have your application verify the purchase state of the unlocked content whenever a user accesses the content. This allows you to revoke use when necessary and minimize piracy.

If you see your content being redistributed on Google Play, act quickly and decisively. For more details, see the Frequently Asked Copyright Questions page in the Copyright Help Center.

This site uses cookies to store your preferences for site-specific language and display options.

Get the latest Android developer news and tips that will help you find success on Google Play.

* Required Fields

Hooray!

Follow Google Developers on WeChat

Browse this site in ?

You requested a page in , but your language preference for this site is .

Would you like to change your language preference and browse this site in ? If you want to change your language preference later, use the language menu at the bottom of each page.

This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.

Take a short survey?
Help us improve the Android developer experience.
(Sep 2017 survey)