3

I'm putting an app up on Google Play (fmr. Android Market) and now i'm working on the in-app billing feature. The Android docs say you should do this by verifying the signature of the transaction with your public key, but i'm wondering if retrieving the order information with the Google Checkout API would be easier. Something like the following:

OLD WAY

  1. Android customer purchases something on the market
  2. Market sends response to phone with nonce,signature,transactionid,etc
  3. Android phone, or remote server verifies the transaction using the nonce (generated earlier) and the signature.
  4. If the transaction was verified, the purchase was valid, credit customer with item.

MY WAY

  1. Android customer purchases something on the market
  2. Market sends response to phone with nonce,signature,transactionid,etc
  3. Android phone sends request to remote server with transactionid
  4. Remote server sends a request to the google checkout API for an order with the transactionid, and verifies that the transaction has cleared.
  5. If the transaction has cleared, credit customer with item

Is this possible?

Cameron A. Ellis
  • 3,833
  • 8
  • 38
  • 46

2 Answers2

1

Probably. Google Checkout API is not available everywhere though. If you have a merchant key, you should be able to use it, but the key is not available for most countries. You will need to contact yet one more server, but sounds like it should work. The question is, why haven't you tried yet?

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Well, both methods are turning out to be a lot of work. I'm using App Engine as my remote server and it doesn't have a simple way to verify the signature with the public key (m2crypto doesn't run on AE, and pyCrypto has issues). – Cameron A. Ellis Apr 07 '12 at 15:43
  • Not sure what is a lot of work about generating nonces and verifying a signature. Surely connecting to Google checkout is more work? Haven't used pyCrypto for a while, but I'm pretty sure it can verify an RSA signature. Or you could do the backend in Java. – Nikolay Elenkov Apr 07 '12 at 15:50
  • Am not an Android/Play dev - Google Checkout API is only for transactions going through Google Checkout (not any other API/Google product). Your merchant/seller ID and secret/key is unique to your marketplace/product API (it's not going to be the same "merchant id/key" of Google Checkout. Order numbers/id will are also different... – EdSF Apr 08 '12 at 03:13
  • @EdSF Not sure what your point is? Android Market/Play does use Google checkout for billing and order numbers are indeed the same as passed to the in-app billing library. There are apps that display Android Market/Play orders using the merchant key and ID. – Nikolay Elenkov Apr 08 '12 at 07:00
  • @NikolayElenkov again I'm not an Android Dev, so perhaps I stand corrected. Perhaps its that [Google Checkout API](http://code.google.com/apis/checkout/developer/index.html) is used to mean other things too. E.g. (not Android/Play) there is [In App Payments API](https://developers.google.com/in-app-payments/). It has a "seller secret" and "seller id" (aka key/id), and orders flow to the same Order Inbox as GCO orders. I can display In App orders, but its not using the "Google Checkout API". – EdSF Apr 08 '12 at 15:44
  • Well, it turns out PyCrypto *is* able to verify the RSA signature, but there was a lot of work involved because I didn't understand all the key formatting issues (read: 2 days worth). So i think i'll be going the recommended way. – Cameron A. Ellis Apr 09 '12 at 03:56
  • Glad you got it working. Consider open sourcing if not the whole thing, at least the nonce/signature verification part. – Nikolay Elenkov Apr 09 '12 at 04:01
1

Your way seems pretty easily spoofable to me. For something as critical as billing, I'd go with the recommended approach. It's been thought out.

StilesCrisis
  • 15,972
  • 4
  • 39
  • 62
  • Well, the reason I thought of this was because Facebook credits work this way ( for the most part ). How could they spoof transaction Ids? – Cameron A. Ellis Apr 07 '12 at 15:44
  • I suspect the Facebook guys do very clever things that they have thought through quite thoroughly, and may or may not be in your approach. – StilesCrisis Apr 07 '12 at 19:47