lannguyen / marketbilling

Automatically exported from code.google.com/p/marketbilling
0 stars 0 forks source link

Suggestion to improve overall security #169

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
STEPS TO REPRODUCE:
1. Developer gets option to add a security string in the inapp console.
2. Play Store returns the same in the PURCHASE_DATA json.
3. Developer can verify the same in the app(using his/her own algorithm)

(At present all the data that is present in json either originates from the app 
or generated by Google. As the algorithm for signature verification is open 
source, rooted devices can bypass this security check and modded PlayStore OR 
apps that allow users to bypass PlayStore simply return a json string built 
from the original data )

By adding one more layer of check,that is developer dependent,bypassing of 
Store Server would be difficult.

EXPECTED OUTPUT:

ACTUAL OUTPUT:

AFFECTED ORDER IDS (IF RELEVANT):

OS VERSION:

MARKET/MYAPPS VERSION:

DEVICE:

OUTPUT FROM ADB BUGREPORT ATTACHED:
(Note: The output from "adb bugreport" is required for all bug reports.)

NOTES:

Original issue reported on code.google.com by rally...@gmail.com on 9 Jan 2014 at 5:49