应用内结算安全和设计问题 [英] In-App Billing Security and Design questions

问题描述

我有几个问题连接到Android应用内结算：

1. 是否可以从非购买市场应用程式我明白这是一个漏洞，但是我没有机会找出是否可行。




2. 如何获取特定的购买状态产品？据我所知，可以使用 RESTORE_TRANSACTIONS 请求完成，但建议不要经常使用。这不是一个理论问题。我的应用程序允许用户使用应用内结算购买内容。内容可以从服务器下载，服务器只有在购买时才允许内容下载。但是如果没有使用Android Market的签名回复，则无法检查内容是否被购买。




3. 如何从Android中获取某个商品的价格和描述市场？似乎我知道答案，这是没有办法可以完成，但也许我错了。有可能检索项目的价格是非常有用的。

对我来说，如何解决/将在您的应用程序中解决这些问题。

解决方案

顺序：

1-不。应用内结算流程是Market的一部分。如果应用程序来自其他地方，市场无法验证应用程序的来源/真实性。

2-您是否有责任为特定的存储产品。从文档：

您必须设置一个数据库或其他机制来存储用户的购买信息。

RESTORE_TRANSACTIONS应该保留在设备上重新安装或首次安装。

3-不幸的是，在这个时候你是对的。提交功能请求！

同时，一个选项是使用appengine设置一个网站，存储所有内容的商品列表然后在市场中以更新的价格手动同步您的appengine服务器上列出的价格。然后让您的Android应用程序从AppEngine服务器中提取数据。这比将硬件价格值强加入应用程序本身好得多，因为您无需每次更新应用程序即可立即更新应用程序，以便在您更改某些内容时查看准确的定价。这种方法的唯一注意事项是，如果用户在不同的国家/地区，应用内结算将以本国货币显示近似价格，您无法确定将向其显示什么价格。 p>

相关的Android开发者倡导者之一就是在IO上讨论LVL / IAP，称为使用许可证验证库，应用内结算和逃避盗版和停止吸血鬼 App Engine。 - 当他们在网站上发布会议视频时，一定要值得一看。

I have a few questions connected to Android In-App Billing:

1. Is it possible to make a purchase from non-Market app? I understand that it would be a vulnerability, but I have no opportunity to find out if it's possible or not.

2. How can I get purchase state for a particular product? As far as I understand it can be done using RESTORE_TRANSACTIONS request, but it's not recommended to use very often. That's not a theoretical problem. My application allows users to buy content using in-app billing. Content can be downloaded from a server, and server must allow content downloading only if it was purchased. But it can't check if content was purchased or not without using signed response from Android Market.

3. How can I get price and description of an item from Android Market? Seems that I know the answer and it's "there's no way it can be done", but maybe I'm wrong. It would be very useful to have a possibility of retrieving item's price.

It's very interesting to me how you solved/are going to solve these problems in your apps. Answer to any of these questions will be appreciated.

解决方案

In order:

1- Nope. The in-app billing process is part of Market. If the app comes from elsewhere, there's no way for Market to verify the origin/authenticity of the application.

2- It's your responsibility to store the purchase state for a particular product. From the doc:

You must set up a database or some other mechanism for storing users' purchase information.

RESTORE_TRANSACTIONS should be reserved for reinstalls or first-time installs on a device.

3- Unfortunately, at this time you're right. File a feature request!

In the meantime, one option is to set up a website with appengine, store listings of all your content & pricing there, and then manually sync prices listed on your appengine server with the updated prices in Market. Then have your Android app pull the data from the AppEngine server. This is much better than hardcoding price values into the app itself, since you don't need to have everyone update the app immediately to see accurate pricing whenever you change something. The only caveat of this method is that if the user is in a different country, in-app billing will display an approximated price in their native currency, and there's no way for you to determine exactly what price will be displayed to them.

Related, One of the Android Developer Advocates is giving a talk on LVL/IAP at IO, called "Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine." - It would definitely be worth your while to watch when they release the session videos on the website.

这篇关于应用内结算安全和设计问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！