Geek Quickies

Stories from the cloudvergence.

Checking Google Play Signatures With Django

Google play, formerly known as the Android Market, provides in-app billing in several countries. In the Security and Design page, Google states the following:

If practical, you should perform signature verification on a remote server and not on a device. Implementing the verification process on a server makes it difficult for attackers to break the verification process by reverse engineering your .apk file. If you do offload security processing to a remote server, be sure that the device-server handshake is secure.

The signature verification here refers to the signature sent back by the Billing Service to the GET_PURCHASE_INFORMATIONrequest. The signature is against the JSON payload containing the purchase information. We’llget back later on the authentication of the dialog with the server.