onepf / OpenIAB

Open In-App Billing for Google Play, SlideMe, Amazon Store, Nokia Store, Samsung Apps, Yandex.Store, Appland, Aptoide, AppMall and Fortumo.
http://onepf.org/openiab/
Apache License 2.0
476 stars 171 forks source link

Does OpenIAB internally verify purchases? #513

Open rygo6 opened 9 years ago

rygo6 commented 9 years ago

The Google play store, Amazon store and also iOS store all have some additional security measures to ensure that purchases are authentic after the app receives the initial response from the IAP server.

You can see these measures described here for Google Play:

http://developer.android.com/google/play/billing/billing_integrate.html#billing-security

For Apple:

https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html

For Amazon:

https://developer.amazon.com/public/solutions/platforms/webapps/docs/rvs.html

I just wanted to make sure, internally, does OpenIAB implement these extra security checks?

petetandon commented 8 years ago

For Google Play it appears to be so as this repro's variation of IABHelper still uses isValidDataSignature method from the original IABHelper.java from google.

line reference : https://github.com/onepf/OpenIAB/blob/master/library/src/main/java/org/onepf/oms/appstore/googleUtils/IabHelper.java#L925