As you design your In-app Billing implementation, be sure to follow the security best practices that are discussed in this document. These guidelines are recommended for anyone who is using Google Play's In-app Billing service.
Validating purchase details
It's highly recommended to validate purchase details on a server that you trust. If you cannot use a server, however, it's still possible to validate these details within your app on a device.
Validate on a server
By implementing your signature verification logic on a server, you make it difficult for attackers to reverse-engineer your APK file. This preserves the integrity of the signatures that your logic checks.
To validate purchase details on a trusted server, complete the following steps:
- Ensure that the device-server handshake is secure.
- Check the returned data signature and the
orderId, and verify that the
orderIdis a unique value that you have not previously processed.
- Verify that your app's key has signed the
INAPP_PURCHASE_DATAthat you process.
- Validate purchase responses using the
ProductPurchaseresource (for in-app products) or the
SubscriptionPurchaseresource (for subscriptions) from the Google Play Developer API. This step is particularly useful because attackers cannot create mock responses to your Play Store purchase requests.
Validate on a device
If you cannot run your own server, you can still validate purchase details within your Android app.
Warning: This form of verification isn't truly secure. Because your purchase verification logic is bundled within your app, this logic becomes compromised if your app is reverse-engineered.
You should obfuscate your Google Play public key and In-app Billing code so it's difficult for an attacker to reverse-engineer security protocols and other application components. At a minimum, we recommend that you run an obfuscation tool like Proguard on your code. To obfuscate your code using Proguard, you must add the following line to your Proguard configuration file:
-keep class com.android.vending.billing.**
After obfuscating your Google Play public key and In-app Billing code, you're ready to have your app validate purchase details. When your app verifies a signature, ensure that your app's key signed the JSON data contained in that signature.
Protecting your unlocked content
To prevent malicious users from redistributing your unlocked content, do not bundle it in your APK file. Instead, do one of the following:
- Use a real-time service to deliver your content, such as a content feed. Delivering content through a real-time service allows you to keep your content fresh.
- Use a remote server to deliver your content.
When you deliver content from a remote server or a real-time service, you can store the unlocked content in device memory or store it on the device's SD card. If you store content on an SD card, be sure to encrypt the content and use a device-specific encryption key.
Taking action against trademark and copyright infringement
If you are using a remote server to deliver or manage content, have your application verify the purchase state of the unlocked content whenever a user accesses the content. This allows you to revoke use when necessary and minimize piracy.
If you see your content being redistributed on Google Play, act quickly and decisively. For more details, see the Frequently Asked Copyright Questions page in the Copyright Help Center.