Home/ Questions/Q 8447487
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T10:11:17+00:00

I’m using the In App Billing sample app to add this feature to my

  • 0

I’m using the In App Billing sample app to add this feature to my application.
After I finished adding it to my app, and tested all working, I noticed the comment in this Security class:

Security-related methods. For a secure implementation, all of
this code should be implemented on a server that communicates with
the application on the device. For the sake of simplicity and
clarity of this example, this code is included here and is executed
on the device. If you must verify the purchases on the phone, you
should obfuscate this code to make it harder for an attacker to
replace the code with stubs that treat all purchases as verified.

As Google suggests, I do the purchase verification on the server side so I really don’t need the Security class in my project.
The problem is, I can’t figure out how to remove the BillingService class dependency in the Security class.

I started by deleting the Security class and following the errors in the BillingService and most places it’s being used I can remove easily, except in one place:

private void purchaseStateChanged(int startId, String signedData, String signature) {
        ArrayList<Security.VerifiedPurchase> purchases;
        purchases = Security.verifyPurchase(signedData, signature);
        if (purchases == null) {
            return;
        }

        ArrayList<String> notifyList = new ArrayList<String>();
        for (VerifiedPurchase vp : purchases) {
            if (vp.notificationId != null) {
                notifyList.add(vp.notificationId);
            }
            ResponseHandler.purchaseResponse(this, vp.purchaseState, vp.productId,
                    vp.orderId, vp.purchaseTime, vp.developerPayload);
        }
        if (!notifyList.isEmpty()) {
            String[] notifyIds = notifyList.toArray(new String[notifyList.size()]);
            confirmNotifications(startId, notifyIds);
        }
    }

Would love if someone can share his/hers purchaseStateChanged method (based on the in app billing sample app) without the use of the Security class.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    So here’s what I did. First the calls to BillingService occur on the applications main thread, so you need to issue your server calls in a background thread. I chose to finish up processing on the main thread, since I wasn’t sure what impact calling methods like ‘confirmNotifications’ on a background thread might have.

    I created a callback interface VerifyTransactionCompletion which could be dispatched back to the main thread after the remote call completed.

    I keep around the Security class and have it manage the call to the server now, instead of what it originally performed in the sample. So when you see the call to Security, that’s where I call out to my server and perform signature validation.

    /**
 * Callback interface to <em>finish</em> processing a transaction once the remote
 * servers have processed it.
 */
public interface VerifyTransactionCompletion {
    public void transactionVerified(List<Security.VerifiedPurchase> purchases);
}

private void purchaseStateChanged(final int startId, String signedData, String signature) {
    // verifyPurchase issues remote call to server (in a background thread), then
    // calls transactionVerified on the main thread to continue processing.
    Security.verifyPurchase(signedData, signature, new VerifyTransactionCompletion() {

        @Override
    public void transactionVerified(List<VerifiedPurchase> purchases) {
            if (purchases == null) {
                return;
            }

            ArrayList<String> notifyList = new ArrayList<String>();
            for (VerifiedPurchase vp : purchases) {
                if (vp.notificationId != null) {
                    notifyList.add(vp.notificationId);
                }
                ResponseHandler.purchaseResponse(BillingService.this, vp.purchaseState, vp.productId,
                        vp.orderId, vp.purchaseTime, vp.developerPayload);
            }
            if (!notifyList.isEmpty()) {
                String[] notifyIds = notifyList.toArray(new String[notifyList.size()]);
                confirmNotifications(startId, notifyIds);
            }
        }

});

    }

    • 0