I have made an Android app where items can be purchased using in-app-billing. When an item is purchased the transaction can easily be synced between Android Market and the phone – to be used in the app. But, I need MY server to be aware of the purchase. The decision to deliver app-specific data should be made on my server, not in the client app.
E.g.
- User buys item X from Android Market.
- Transaction data Y is sent to the client.
- Client sends Y to my server.
- Client asks the server to deliver content for X.
- Server delivers content if Y is valid. How can this be accomplished?
Q: How do I verify that transaction data coming from the Android client (presumably originating from Google servers) is not fake? I.e. a hacker didn’t generate the data.
Google Server -> Android client -> My server -> Android client
Perhaps this is more of a PHP question than anything else. Exactly what should my server script (PHP) do in order to verify that the retrieved data is real?
Use openssl_verify ($data, $signature, $key)
The variables $data and $signature should be sent from the android client to your php server using https. The transaction contains both of these items. Send that to your servers before you acknowledge the transaction on the client.(see documentation here – http://developer.android.com/guide/market/billing/billing_integrate.html)
The variable $key is your google public key available from your publisher account from the Licensing & In-app Billing panel. Copy the public key and use that in your php code, preferably using a config file you install on your servers rather than in your actual php code.
If the openssl_verify call succeeds you should store the order numbers on your servers and ensure they are unique so they cannot be replayed. Be aware that a single data receipt and signature pair could contain many order numbers though its usually one order.