3

The google documentation for the BillingClient queryPurchases method states the following:

"It's recommended for security purposes to go through purchases verification on your backend (if you have one) by calling the following API: https://developers.google.com/android-publisher/api-ref/purchases/products/get"

Here is the link:

https://developer.android.com/reference/com/android/billingclient/api/BillingClient.html#queryPurchases(java.lang.String)

I have set up an API, established communications with it from my server and have done some initial testing, but the more I look into it, the more I question the need for it. If your code can be de-compiled, then whatever verification you are doing on your back end could certainly be subverted within your app's code.

My understanding is that google caches these purchases on the local device and refreshes that cache periodically and this cache is where queryPurchases pulls the purchases from.

Exactly what type of attack would I be trying to prevent by doing back end verification on these purchases?

jwitt98
  • 1,194
  • 1
  • 16
  • 30

1 Answers1

1

Google play handles the transaction and keeps a record of the purchase, your back end presents purchase receipts and it gets a response from Google , the user cannot inject a fake record on Google's billing systems and this is what your back end relies on, if the user did indeed purchase you in app item and their credit card was charged by Google then that record is reliable and there's no way a user can alter it even if they decompiled your application they wouldn't gain anything apart from being exposed as a malicious actor. A well implemented in app billing system is watertight and extremely difficult if not impossible to game.

user10515
  • 11
  • 1