android - 应用内计费开发人员有效负载参数？

Question

从周日开始，我用谷歌搜索了 6 次这个概念，但我觉得我找不到直接的答案。 official Google docs说这不是为了安全，但我发现一堆答案似乎暗示不是这样，等等。

来自文档:

The fifth argument contains a 'developer payload' string that you can use to send supplemental information about an order (it can be an empty string). If you specify a string value, Google Play returns this string along with the purchase response. Subsequently, when you make queries about this purchase, Google Play returns this string together with the purchase details.

Caution: Don't use the developerPayload field for security validation purposes. This field isn't always available when completing tasks related to In-app Billing. For more information about security best practices, see the In-app Billing Security and Design guide.

来自谷歌官方测试项目:

/** Verifies the developer payload of a purchase. */
boolean verifyDeveloperPayload(Purchase p) {
    String payload = p.getDeveloperPayload();

    /*
     * TODO: verify that the developer payload of the purchase is correct. It will be
     * the same one that you sent when initiating the purchase.
     *
     * WARNING: Locally generating a random string when starting a purchase and
     * verifying it here might seem like a good approach, but this will fail in the
     * case where the user purchases an item on one device and then uses your app on
     * a different device, because on the other device you will not have access to the
     * random string you originally generated.
     *
     * So a good developer payload has these characteristics:
     *
     * 1. If two different users purchase an item, the payload is different between them,
     *    so that one user's purchase can't be replayed to another user.
     *
     * 2. The payload must be such that you can verify it even when the app wasn't the
     *    one who initiated the purchase flow (so that items purchased by the user on
     *    one device work on other devices owned by the user).
     *
     * Using your own server to store and verify developer payloads across app
     * installations is recommended.
     */

    return true;
}

我完全不知道这是什么意思。如果我没有自己的服务器，我应该只使用一个空字符串吗？我应该如何区分用户、购买和设备？

这一切对我来说都不是很清楚，这段代码/官方文档没有提供真正的澄清，而且大多数在线答案同样很少见。

谁能简单说明一下:我应该发送什么作为我的开发人员负载参数？

Answer 1

至少您有生成随机字符串的安全理由:具有不同 developerPayload 的两次相同购买总是会有不同的购买数据和签名。

String developerPayload = UUID.randomUUID().toString();

如果您不在您的服务器上处理答案，您就没有任何理由记住并检查此字符串(请参阅 google 测试中的警告)。