Android Billing api with free item

Question

Android billing api allow us to check whether user purchase certain items.
But what if I want to give out some item to user free when they achieve something (e.g. share the app with 5 friends). Is there any way I can tell google that user own this item?

If no, that mean I need to setup my server to store which user has which free item. To check whether user has certain item, I need to check from my server and billing api as well. But how to make the webservice secure? If the app just simply tell server that user with certain email address has item x, it seems that bad guy can play around this and just fake server he has everything.

UPDATE:
For example, to tell my sever that user A has obtained item A. I would send a call to my webservice url with payload {user:xxx@email.com, item:A}.
But anyone can send this payload to the webservice url. How to I protect this?

Answer 1

"Is there any way I can tell google that user own this item?"

Google is providing you platform on which you can purchase the item and purchase status for your developer side to check whether item is purchasing or not. I think google will not allow you to tell him and they will make the item purchased for particular user. you are restricted to do so according to google play billing policy.

If you have read the document properly then they say all business logic for item will be handle by the developer side only they just provide you item purchased flow. you have to think your business logic using your server.

"But how to make the webservice secure?"

It is for your end side then you can put any business logic as you want. you can secure by proguard or post methods or other possible way that you can find out in google.

And yes if you are using proguard then don't forget to put line in it,

-keep class com.android.vending.billing.**

Hope you it will solve your problem.