Android In-App billing security issues?

Question

During our efforts to design InApp Billing for our Android App, we came up with the following scenario;

1. Customer has rooted/manipulatable device (so Market app + my app can't be trusted)
2. Customer purchases a product
3. Purchase state 0 (purchased) is send to our backoffice (all is checked and ok), we give credits.
4. Customer refunds that purchase
5. Customer has manipulated our app or the market app to locally confirm the refund and thereby prevent the refund notification to reach our backoffice server.

Is this scenario possible? How can we fix this?

Answer 1

First: if the user asks for a refund you receive also an email.

Second: the purchases on in-app billing are not refundable directly by the user. If a user wants a refund, he must contact you and then you can proceed manually to refund with your google wallet account.

So i think that your scenario neve happen.

Secondly if possible i suggest you to use managed purchases, in that case if the user asks for a refund, google market will remember it, and you can use a RESTORE_TRANSACTION to check if some refunds occurred (but again: you must grant a refund).

Answer 2

It's been 7 years since this questions was asked but still I will provide an answer as it might be useful to some.

The part that is missing in your diagram is your BackOfficeServer to perform server side validation before granting the credits (goods) to the user. As nothing on the client side can be trusted (neither your app nor the app store) your only solution is to integrate your BackOfficeServer with the Purchase Verification API that Google provide. Only when you receive a response from them stating that the purchase is valid should you grant the goods.

The same would apply for refunds. If the user issues a refund you would need to revoke the goods. For this you again can only trust your BackOfficeServer. Google provide Real time Developer Notifications and Void API that can fulfill that requirement.