In-app billing security - what is the deal with obfuscating key?

Question

I am implementing Google Play In-app billing, in Xamarin app, so I look at both android and xamarin documentation. Both of them recommending obscure ways to obfuscate the public key inside application:

http://developer.android.com/training/in-app-billing/preparing-iab-app.html

Security Recommendation: It is highly recommended that you do not hard-code the exact public license key string value as provided by Google Play. Instead, you can construct the whole public license key string at runtime from substrings, or retrieve it from an encrypted store, before passing it to the constructor. This approach makes it more difficult for malicious third-parties to modify the public license key string in your APK file.

http://components.xamarin.com/gettingstarted/xamarin.inappbilling/true

While the best practice is to perform signature verification on a remote server and not on a device, this might not always be possible. Another technique is to obfuscate your Google Play public key and never store the assembled key in memory. Xamarin.InAppBilling provides the Unify routine that can be used to break your Google Play public key into two or more pieces and to obfuscate those pieces using one or more key/value pairs. In addition, Xamarin.InAppBilling always encrypts your private key while it's in memory. Here is an example of using Unify to obfuscate a private key:

string value = Security.Unify (
new string[] { "X0X0-1c...", "+123+Jq...", "//w/2jANB...", "...Kl+/ID43" }, 
new int[] { 2, 3, 1, 0 }, 
new string[] {  "X0X0-1", "9V4XD", "+123+", "R9eGv", "//w/2", "MIIBI", "+/ID43", "9alu4"      })

But nowhere it is explained, what is the deal here. Why would anyone want to see this key? How would anyone benefit from seeing/replacing the key in my APK? What are the possible "attacks" here? Thanks.

Answer 1

I understand it as being your public key is not necessarily secret but it is just one more way to help keep someone from easily replacing your key with their own key. It mainly keeps the key obfuscated while it is in memory making it harder to pull out.

Say your app uses this to download extra content. If the user replaces your public with one that they know the private key for, they could produce purchase receipts without ever contacting the server and your app will think they are real.

The best way to avoid this is to do the verification on your own server where they can't get at the code. If the server verifies it, then it downloads.

No matter what you do, its a fact that your app can be hacked if they want to spend the time doing it. Even after all the key checks are made it can be a matter of flipping one bit to change the result of a key check. The object is to give them one more hurdle to overcome.