Best practices to make your android app's in-app purchase process harder to break?

StackOverflow https://stackoverflow.com/questions/16402370

Question

Which steps should i follow to reduce the possibility of illegally activating and using in-app features in an android application?

It may be impossible to beat it, however, there should be some basic steps at least to filter out kids...

Was it helpful?

Solution 2

You probably want to at least try obfuscating your public key so that an attacker can't simply decompile your app and look for static strings.

The Android developer website has some thoughts on this:

Protect your Google Play public key

To keep your public key safe from malicious users and hackers, do not embed it in any code as a literal string. Instead, construct the string at runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the actual key. The key itself is not secret information, but you do not want to make it easy for a hacker or malicious user to replace the public key with another key.

http://developer.android.com/google/play/billing/billing_best_practices.html

OTHER TIPS

If you don't do the verification on a server then the criminals won't even bother hacking your application. They'll reroute all the requests to their server and feed you bogus receipts that they can then self verify. I'm sure I have had content stolen, but I also know my server verification has stopped many attempts (from the logs). One thing to keep in mind is that you want some kind of authentication on the communication between your application and your server.

I also think there is some value in obfuscating your code to slow people down but that is more to stop code theft than prevention of IAP theft.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top