I have an Android application and an in-app purchase.
I want to post the user_id s of the ones that purchase it to my remote database via a php file.
I know some clever users can listen to the network and see the address of my php service. They may even find out what variables I am sending.
I know how to encrypt user_id of course. I can do it either with RSA or AES. But I need to keep public key for RSA in the app.
Here is my question: A more clever attacker can easily get the public key and encrypt his user id and post to my web service. How do I prevent this scenario?
I have solved my problem. What i need is to do signature verification on the server side. I just need to send the signature and the signed data to my server.
No one can trick these data. They are coming directly from google.
Once the signature verification is complete I just added the user to my mysql table.