Open GoogleCodeExporter opened 9 years ago
developer payload seems to be totally useless unless you have an app that has
its own user identification mechanism (login/password) and you don't want
purchased items bought with Google user X transmit to your app logged users A,
B, C through Google user X.
Instead of using developer payload (or obfuscating IAB code that will be easily
craked no matter what), it is a lot more useful to add many hard to find online
CRC check in the code.
Original comment by pujos.mi...@gmail.com
on 18 Aug 2013 at 9:38
We shouldn't need to request extra permissions such as (GET_ACCOUNTS) in order
to get a hash of the buyer's current user id. Also, as Matt has indicated, we
would also need an array of hashes of the userid's currently on the device, to
validate a purchase if any of the user accounts on the device is present in the
developer payload.
The argument that, since there is no perfect security, there's no point in
providing moderate security is unreasonable. As an analogy, a locked door
really is not secure, since you can always break windows. So, by this
rationale, none of us should lock our doors, since it is not really secure
anyways. Most of us prefer to live in the real world, where locking doors
actually does act as a deterrent to most people.
I think, in general, we developers are not looking for perfect security against
hackers. We're looking to make our apps more secure to guard against the vast
majority of hackers, who are probably idiots that just use existing hacking
tools with little understanding of how they work.
Original comment by ginolee...@gmail.com
on 11 Jul 2014 at 1:25
Original issue reported on code.google.com by
mtt.ml...@gmail.com
on 9 Jul 2013 at 8:27