对于许多购买，Google IAP验证失败了 [英] Google IAP verification has failed for many purchases

问题描述

我在Android应用中使用Google IAP v3。我使用 GoogleIabHelper 类实现了签名检查。我也用几乎相同的代码检查服务器端的签名。

I'm using Google IAP v3 in Android app. I've implemented signature checking using GoogleIabHelper class. I'm also checking the signature on the server side with almost the same code.

在服务器日志中我发现很多购买都是无效的。以下是2次有效购买和1次无效的示例数据：

In the server logs I've found a lot purchases are invalid. Here are example data for 2 valid purchases and one invalid:

有效购买

#1
orderId:         12399363269014736759.1358132323863451
purchaseTime:    1416079768157
purchaseToken:   olcgkklnpigiceancikanedj.AO-J1O...
dataSignature matches: yes
response from androidpublisher API: purchaseTimeMillis = 1416079768157, purchaseState = 0

#2
orderId:         12399363269014736759.1311230454123912
purchaseTime:    1415844666976
purchaseToken:   ajkaitpnfgotgkmhlboatkmc.AO-J1O...
dataSignature matches: yes
response from androidpublisher API: purchaseTimeMillis = 1415844666976, purchaseState = 0

无效购买

orderId:         6246434551497330082
purchaseTime:    1415813103372
purchaseToken:   xdavcuvdnniwwrhwemleqjdz.rSQozm...
dataSignature matches: no
response from androidpublisher API: "code": 400, "message": "Invalid Value"

正如您所看到的，两个有效购买的数据看起来相似。 dataSignatures 都是正确的， androidpublisher API会返回这些购买的有效数据。

As you can see data of the two valid purchases look similar. Both dataSignatures are correct and the androidpublisher API returns valid data for these purchases.

现在查看无效购买：

• orderId 不不符合有效购买的模式


• purchaseTime 过去（2014年11月12日星期三18:25:03 GMT + 0100 （CET））即使今天购买了


• purchaseToken 前缀在之后也不同。 / code>（点）


• dataSignature 不匹配


• androidpublisher API返回无效值

• orderId doesn't match the pattern of valid purchases
• purchaseTime is in the past (Wed Nov 12 2014 18:25:03 GMT+0100 (CET)) even though the purchase had been made today
• purchaseToken prefix is different after the . (dot)
• dataSignature doesn't match
• androidpublisher API returns Invalid Value

很确定这是无效的购买吧？那么每天2-4次购买怎么样？我想知道IAP欺诈是真正的问题还是我的代码和IAP验证有问题。有人可以分享他们使用Google IAP v3进行无效购物的经历吗？

Pretty sure it's invalid purchase huh? What about 2-4 purchases like this per day. I'm wondering do IAP frauds are real problem or there's problem with my code and IAP verification. Could someone share their experience with invalid purchases using Google IAP v3?

推荐答案

经过深入研究后发现有很多方法可以破解IAP，但良好的购买验证可以防止它（如问题所示。

After digging a little deeper it turns out there are so many ways to hack IAP, but good purchase validation prevents from it (like presented in the question).

首先，无效购买（所有这些）都是在 rooted devices 上进行的。我还询问了一些用户他们的购买情况，其中一人同意他正在使用一些允许免费购买IAP商品的apk。

First of all, the invalid purchases (all of them) have been made on rooted devices. I've also asked some users about their purchases and one of them agreed that he is using some apk which allows to purchase IAP items for free.

结论：一切都还行使用代码，您的用户出了问题。

Conclusion: everything is OK with the code, something is wrong with your users.

这篇关于对于许多购买，Google IAP验证失败了的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！