应用内计费安全和设计问题 [英] In-App Billing Security and Design questions
问题描述
我有几个与 Android 应用内结算相关的问题:
I have a few questions connected to Android In-App Billing:
是否可以从非市场应用程序进行购买?我知道这将是一个漏洞,但我没有机会知道它是否可能.
Is it possible to make a purchase from non-Market app? I understand that it would be a vulnerability, but I have no opportunity to find out if it's possible or not.
如何获取特定产品的购买状态?据我了解,可以使用 RESTORE_TRANSACTIONS 请求来完成,但不建议经常使用.这不是理论上的问题.我的应用程序允许用户使用应用内计费购买内容.内容可以从服务器下载,并且服务器必须仅在购买时才允许内容下载.但如果不使用来自 Android Market 的签名响应,它就无法检查是否购买了内容.
How can I get purchase state for a particular product? As far as I understand it can be done using RESTORE_TRANSACTIONS request, but it's not recommended to use very often. That's not a theoretical problem. My application allows users to buy content using in-app billing. Content can be downloaded from a server, and server must allow content downloading only if it was purchased. But it can't check if content was purchased or not without using signed response from Android Market.
如何从 Android Market 获取商品的价格和描述?似乎我知道答案,它是不可能做到",但也许我错了.能够检索商品的价格将非常有用.
How can I get price and description of an item from Android Market? Seems that I know the answer and it's "there's no way it can be done", but maybe I'm wrong. It would be very useful to have a possibility of retrieving item's price.
您如何解决/将如何解决您的应用中的这些问题对我来说非常有趣.我们将不胜感激任何这些问题的回答.
It's very interesting to me how you solved/are going to solve these problems in your apps. Answer to any of these questions will be appreciated.
推荐答案
按顺序:
1- 不.应用内计费流程是 Market 的一部分.如果应用来自其他地方,Market 将无法验证应用的来源/真实性.
1- Nope. The in-app billing process is part of Market. If the app comes from elsewhere, there's no way for Market to verify the origin/authenticity of the application.
2- 存储特定产品的购买状态是您的责任.来自 doc:
2- It's your responsibility to store the purchase state for a particular product. From the doc:
您必须建立一个数据库或其他一些机制来存储用户的购买信息.
You must set up a database or some other mechanism for storing users' purchase information.
RESTORE_TRANSACTIONS 应保留用于在设备上重新安装或首次安装.
RESTORE_TRANSACTIONS should be reserved for reinstalls or first-time installs on a device.
3- 不幸的是,此时您是对的.提交功能请求!
3- Unfortunately, at this time you're right. File a feature request!
与此同时,一种选择是建立一个网站,其中包含 appengine、所有内容的商店列表和在那里定价,然后手动将您的 appengine 服务器上列出的价格与 Market 中的更新价格同步.然后让您的 Android 应用从 AppEngine 服务器中提取数据.这比将价格值硬编码到应用程序本身要好得多,因为您不需要让每个人都立即更新应用程序,以便在您更改某些内容时查看准确的定价.这种方法唯一需要注意的是,如果用户在不同的国家/地区,应用内结算将以他们的本国货币显示近似价格,您无法确定向他们显示的确切价格.
In the meantime, one option is to set up a website with appengine, store listings of all your content & pricing there, and then manually sync prices listed on your appengine server with the updated prices in Market. Then have your Android app pull the data from the AppEngine server. This is much better than hardcoding price values into the app itself, since you don't need to have everyone update the app immediately to see accurate pricing whenever you change something. The only caveat of this method is that if the user is in a different country, in-app billing will display an approximated price in their native currency, and there's no way for you to determine exactly what price will be displayed to them.
相关,其中一位 Android 开发者倡导者正在 IO 上发表关于 LVL/IAP 的演讲,名为使用许可证验证库、应用内计费和 App Engine 规避海盗和阻止吸血鬼".- 当他们在网站上发布会议视频时,绝对值得您观看.
Related, One of the Android Developer Advocates is giving a talk on LVL/IAP at IO, called "Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine." - It would definitely be worth your while to watch when they release the session videos on the website.
这篇关于应用内计费安全和设计问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
