Open rygo6 opened 9 years ago
For Google Play it appears to be so as this repro's variation of IABHelper still uses isValidDataSignature method from the original IABHelper.java from google.
line reference : https://github.com/onepf/OpenIAB/blob/master/library/src/main/java/org/onepf/oms/appstore/googleUtils/IabHelper.java#L925
The Google play store, Amazon store and also iOS store all have some additional security measures to ensure that purchases are authentic after the app receives the initial response from the IAP server.
You can see these measures described here for Google Play:
http://developer.android.com/google/play/billing/billing_integrate.html#billing-security
For Apple:
https://developer.apple.com/library/ios/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateRemotely.html
For Amazon:
https://developer.amazon.com/public/solutions/platforms/webapps/docs/rvs.html
I just wanted to make sure, internally, does OpenIAB implement these extra security checks?