I am implementing subscription in my android app. Assume that my service name is FOO. People login to FOO with a FOO username and they can subscribe to some premium FOO services.
The purchaseToken I get from the Google Play is an important element that I store in a local DB and as well send it to my remote server through an HTTPS connection. My remote server will call the get API to validate the receipt of purchase and depending on the result we activate a set of premium services for that FOO username.
Now my question is, if a user tries to hack around and gets purchaseToken from DB or by sniffing the packets, he can validate it for a different FOO username. Isn't it? How can I make sure that it's always safe?
I can think of a few options but I'm not sure which one is best and safest and foolproof.
First, obfuscate/encrypt while storing. It is still just RE-able. With a bit of effort, it is hackable.
Second, make sure that purchaseTokens are unique on the server side. Even though it seems OK to me I'm a bit paranoid and I'm not sure if this is going to cause other problems.
What do you think?
