With In-App Billing on Android, each time a purchase occurs, your application receives a JSON payload containing information about the purchase, as well as its signature with your developer certificate.
Google encourages you to verify that the signature is valid to authentify the purchase. You can do that inside the application, but if the delivery of the purchase involves a server, it is better to do it on the server to prevent client code manipulation. The following show how to do it on .Net server application.
The JSON payload looks like the following :
1 2 3 4 5 6 7 8 9 10 11
You receive it with a broadcast
inapp_signed_data extra intent field. The signature comes as a base 64
encoded string in the
inapp_signature intent field and looks like this :
1 2 3 4 5
It is the signature of the
SHA1 digest of the JSON payload with the private
key of your developer certificate. Don’t look for this private key, it is
detained by Google. Google only provides you the corresponding public key in the
profile page of your developer account :
Certificate: ... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) ...
The public key in this format cannot be read directly by the
RSACryptoServiceProvider class of the .Net
module. The preferred import format for this class is XML. The
Bouncy Castle Library allows reading this kind
of encoding, but you don’t really need to add a new dependency to your project.
Instead, what you need is simply to convert your public key in XML. Once this is
done, you can use the following simple .Net code to check the signature:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
For converting your key, you can download the PEMKeyLoader class and use it in a Console Project to convert your key to XML with the follwing code :
1 2 3 4 5
You will obtain your XML formatted key :
That you can use then in your project as a string constant.