Google play, formerly known as the Android Market, provides in-app billing in several countries. In the Security and Design page, Google states the following:
If practical, you should perform signature verification on a remote server and not on a device. Implementing the verification process on a server makes it difficult for attackers to break the verification process by reverse engineering your .apk file. If you do offload security processing to a remote server, be sure that the device-server handshake is secure.
The signature verification here refers to the signature sent back by the Billing Service to the
GET_PURCHASE_INFORMATIONrequest. The signature is against the JSON payload containing the purchase information. We’llget back later
on the authentication of the dialog with the server.
The JSON payload looks like the following (It has been indented for readability):
1 2 3 4 5 6 7 8 9 10 11 12 13 14
And we we receive a signature in
The payload is signed with the Private key associated with you Google Play account. You can grab your public key in your developer console page.
There are several crypto solutions available in python. In our example, we use pycrypto. It can easily be installed in your Django virtual environment with:
Then, the following method allows checking of the payload singature:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
In a next post, we’ll se how to make sure on the Android application side that the responses to our requests are really coming from our server.