bri*_*tzl 34 android in-app-purchase in-app-billing
在向用户提供可下载内容之前,我无法找到关于如何验证服务器上的应用内结算购买的直接答案.
我在app-billing版本3中使用.我使用基于TrivialDrive示例代码中的IabHelper类的代码购买托管产品.一切都很好,花花公子,购买成功完成,我得到一个完整的购买对象和以下原始JSON数据:
{
"orderId":"12999763169054705758.1364365967744519",
"packageName":"my package name",
"productId":"77",
"purchaseTime":1366217534000,
"purchaseState":0,
"purchaseToken":"utfwimslnrrwvglktizikdcd.AO-J1OwZ4l5oXz_3d2SAWAAUgFE3QErKoyIX8WuSEnBW26ntsyDmlLgoUd5lshqIY2p2LnlV4tpH4NITB4mJMX98sCtZizH7wGf6Izw3tfW_GflJDKFyb-g"
}
据我所知,我需要传递purchaseToken和我看到的称为服务器签名的东西.然后,服务器使用私钥来验证购买.它是否正确?如果是这样,我从哪里获得签名,是否真的没有关于购买的服务器端验证的体面文档?
Meh*_*sar 16
where do I get the signature from ?
看看官方文档,
它表示在您的onActivityResult()方法中,您可以获得以下数据,如示例所示,
@Override
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
if (requestCode == 1001) {
int responseCode = data.getIntExtra("RESPONSE_CODE", 0);
String purchaseData = data.getStringExtra("INAPP_PURCHASE_DATA");
String dataSignature = data.getStringExtra("INAPP_DATA_SIGNATURE");//this is the signature which you want
if (resultCode == RESULT_OK) {
try {
JSONObject jo = new JSONObject(purchaseData);//this is the JSONObject which you have included in Your Question right now
String sku = jo.getString("productId");
String purchaseToken = jo.getString("purchaseToken");
//you need to send sku and purchaseToken to server for verification
}
catch (JSONException e) {
alert("Failed to parse purchase data.");
e.printStackTrace();
}
}
}
}
要在服务器端验证, 请查看官方文档
正如前面提到的,客户端应用程序将发送sku和purchaseToken服务器API.服务器必须接收这些值,并且必须使用android publish api执行检查以验证购买:
服务器可以通过添加必要的参数来调用GET请求:
https://www.googleapis.com/androidpublisher/v2/applications/ packageName/purchases/products/productId/tokens/token
这里,
packageName =客户端app的
productName productId =从客户端app收到的sku
令牌=从客户端app收到的purchaseToken
JSONObject如上所述,它将导致响应:
{
"kind": "androidpublisher#productPurchase",
"purchaseTimeMillis": long,
"purchaseState": integer,
"consumptionState": integer,
"developerPayload": string,
"orderId": string,
"purchaseType": integer
}
这里,purchaseState = 0表示有效购买
我希望它会有所帮助!!
我对减少应用内购买欺诈的小贡献
外部服务器上的签名验证,在您的 Android 代码上:
verifySignatureOnServer()
private boolean verifySignatureOnServer(String data, String signature) {
String retFromServer = "";
URL url;
HttpsURLConnection urlConnection = null;
try {
String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8");
url = new URL(urlStr);
urlConnection = (HttpsURLConnection) url.openConnection();
InputStream in = urlConnection.getInputStream();
InputStreamReader inRead = new InputStreamReader(in);
retFromServer = convertStreamToString(inRead);
} catch (IOException e) {
e.printStackTrace();
} finally {
if (urlConnection != null) {
urlConnection.disconnect();
}
}
return retFromServer.equals("good");
}
convertStreamToString()
private static String convertStreamToString(java.io.InputStreamReader is) {
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
return s.hasNext() ? s.next() : "";
}
虚拟主机根目录下的verify.php
<?php
// get data param
$data = $_GET['data'];
// get signature param
$signature = $_GET['signature'];
// get key
$key_64 = ".... put here the base64 encoded pub key from google play console , all in one row !! ....";
$key = "-----BEGIN PUBLIC KEY-----\n".
chunk_split($key_64, 64,"\n").
'-----END PUBLIC KEY-----';
//using PHP to create an RSA key
$key = openssl_get_publickey($key);
// state whether signature is okay or not
$ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
echo "good";
} elseif ($ok == 0) {
echo "bad";
} else {
die ("fault, error checking signature");
}
// free the key from memory
openssl_free_key($key);
?>
笔记:
您应该在您的 java 代码中加密 URL,如果没有,可以通过在解压缩的应用程序 apk 中的简单文本搜索轻松找到该 URL
也最好将 php 文件名、url 参数、好/坏响应更改为毫无意义的东西。
如果不会抛出主线程上的网络异常,则 verifySignatureOnServer() 应在单独的线程中运行。
希望它会有所帮助...
| 归档时间: |
|
| 查看次数: |
28058 次 |
| 最近记录: |