Android-通过服务器端验证保护应用内购买 [英] Android - protecting in app purchases with server side verification

问题描述

我是android开发的新手，但是创建了一个应用程序，因此我实施了应用程序内购买，以从该应用程序中删除广告.我只是做了一个非常基本的实现，并且基本上检查了用户是否购买了"no_ads"商品，如果该商品是真的，那么就不会显示任何广告.问题是，我在Firebase上看到很多购买"记录，而在游戏机上却什么也没有，这意味着我的用户当然正在使用这些黑客应用程序.所以我的问题是，如何再次保护/验证那些购买的服务器，以使这些无用的应用程序变得无用?我已经有一个我的应用程序使用的服务器，因此为我实现任何服务器端代码都没有问题.如果有人可以指出我的教程，那就太好了.谢谢

I'm new to android development but created an app and I implemented in-app purchase to remove ads from the app. I just did a very basic implementation and I basically check if the user has purchased the "no_ads" item and if it's true, then no ads are shown. The problem is that I see a lot of "purchases" bein logged on firebase and nothing on play console, which means of course that my users are using those hacking apps. So my question is, how to protect/verify those purchases agains a server so these haking apps are useless? I already have a server that my app uses, so there's no problem about implementing any server side code for me. It would be great if someone could point me to a tutorial. Thanks

推荐答案

我为减少应用内购买欺诈行为所做的小贡献

使用您的Android代码在外部服务器上进行签名验证:

Signature verification on an external server, on your Android code :

verifySignatureOnServer()

  private boolean verifySignatureOnServer(String data, String signature) {
        String retFromServer = "";
        URL url;
        HttpsURLConnection urlConnection = null;
        try {
            String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8");

            url = new URL(urlStr);
            urlConnection = (HttpsURLConnection) url.openConnection();
            InputStream in = urlConnection.getInputStream();
            InputStreamReader inRead = new InputStreamReader(in);
            retFromServer = convertStreamToString(inRead);

        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (urlConnection != null) {
                urlConnection.disconnect();
            }
        }

        return retFromServer.equals("good");
    }

convertStreamToString()

 private static String convertStreamToString(java.io.InputStreamReader is) {
        java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";
    }

虚拟主机根目录上的

verify.php

verify.php on the root directory of web hosting

<?php
// get data param
$data = $_GET['data'];

// get signature param
$signature = $_GET['signature'];

// get key
$key_64 = ".... put here the base64 encoded pub key from google play console , all in one row !! ....";



$key =  "-----BEGIN PUBLIC KEY-----\n".
        chunk_split($key_64, 64,"\n").
       '-----END PUBLIC KEY-----';   
//using PHP to create an RSA key
$key = openssl_get_publickey($key);


// state whether signature is okay or not
$ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    die ("fault, error checking signature");
}

// free the key from memory
openssl_free_key($key);

?>

注释:

• 您应该在Java代码中对URL进行加密，如果无法解密，则可以在解压缩的应用apk中通过简单的文本搜索轻松找到URL.

• You should encrypt the URL in your java code, if not the URL can be found easy with a simple text search in your decompressed app apk

最好更改php文件名，URL参数，对好/不好的响应也无济于事.

Also better to change php file name, url arguments, good/bad reponses to something with no sense.

verifySignatureOnServer().另一种选择是使用Volley.

verifySignatureOnServer() should be run in a separated thread if not a network on main thread exception will be thrown. An alternative would be to use Volley.

希望这会有所帮助...

Hope it will help ...

这篇关于Android-通过服务器端验证保护应用内购买的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！