android - 应用内账单签名验证

Question

我有一个关于开发人员有效载荷的问题，我一直在阅读文档，但仍然发现自己很难理解 verifydeveloperpayload 我仍然不明白:

boolean verifyDeveloperPayload(Purchase p) {
        String payload = p.getDeveloperPayload();
        /*
         * TODO: verify that the developer payload of the purchase is correct. It will be
         * the same one that you sent when initiating the purchase.
         *
         * WARNING: Locally generating a random string when starting a purchase and
         * verifying it here might seem like a good approach, but this will fail in the
         * case where the user purchases an item on one device and then uses your app on
         * a different device, because on the other device you will not have access to the
         * random string you originally generated.
         *
         * So a good developer payload has these characteristics:
         *
         * 1. If two different users purchase an item, the payload is different between them,
         *    so that one user's purchase can't be replayed to another user.
         *
         * 2. The payload must be such that you can verify it even when the app wasn't the
         *    one who initiated the purchase flow (so that items purchased by the user on
         *    one device work on other devices owned by the user).
         *
         * Using your own server to store and verify developer payloads across app
         * installations is recommended.
         */
        return true;
    }

如果我的代码是

public void onClick(View v) {
    String item1;
    // TODO Auto-generated method stub
     switch(v.getId()) {
        case R.id.button1: {
            /* TODO: for security, generate your payload here for verification. See the comments on
             *        verifyDeveloperPayload() for more info. Since this is a SAMPLE, we just use
             *        an empty string, but on a production app you should carefully generate this. */

            item1 = "item1";
            String payload = email+item1;

            mHelper.launchPurchaseFlow(this, SKU_2006, RC_REQUEST,
                    mPurchaseFinishedListener, payload);
            break;
            }
         }

来自 bool 值 verifyDeveloperPayload 的字符串负载是否等于来 self 的 onClick 方法的字符串负载？

我如何以及在何处比较负载？

Answer 1

根据安卓文档here据称

The fifth argument contains a ‘developer payload’ string that you can use to send supplemental information about an order (it can be an empty string). Typically, this is used to pass in a string token that uniquely identifies this purchase request. If you specify a string value, Google Play returns this string along with the purchase response. Subsequently, when you make queries about this purchase, Google Play returns this string together with the purchase details.

Security Recommendation: It’s good practice to pass in a string that helps your application to identify the user who made the purchase, so that you can later verify that this is a legitimate purchase by that user. For consumable items, you can use a randomly generated string, but for non-consumable items you should use a string that uniquely identifies the user.

因此，对于产品 ID SKU_2006，如果您使用 String payload = email+item1; 启动购买流程，那么 Google Play 将在响应中返回相同的有效负载，并且因此你会在这里得到它

boolean verifyDeveloperPayload(Purchase p) {
        String payload = p.getDeveloperPayload();
..
}

现在，让我用代码来定义整个场景:

首先，您将发起如下购买请求

String payload = getUserEmailFromAndroidAccounts() + itemUniqueId;

mHelper.launchPurchaseFlow(new PurchaseFinishListener(itemUniqueId), SKU_GAS, 10001,   
   mPurchaseFinishedListener, payload);

如果采购订单成功，来自 Google Play 的响应数据将存储在一个 Purchase 对象中，该对象会传回给监听器。

    private class PurchaseFinishListener implements IabHelper.OnIabPurchaseFinishedListener {
   private final String mItemUniqeId;
    public PurchaseFinishListener(String itemUniqeId) {

            mItemUniqeId = itemUniqeId;
        }

       public void onIabPurchaseFinished(IabResult result, Purchase purchase) 
       {
          if (result.isFailure()) {
             Log.d(TAG, "Error purchasing: " + result);
             return;
          }      
    if (!verifyDeveloperPayLoad(mItemUniqeId , purchase)) {
     Log.d(TAG, "Authenticity verification failed");
             return;
    }

    // set your product as purchased in your DB or server

    }
    }

现在您的 verifyDeveloperPayLoad(purchase) 方法应该如下所示:

 private boolean verifyDeveloperPayLoad(String itemUniqueId , Purchase purchase) {
        String responsePayload = purchase.getDeveloperPayload();
        String computedPayload = getUserEmailFromAndroidAccounts() + itemUniqueId;

        return responsePayload != null && responsePayload.equals(computedPayload);
    }

如果您仔细观察过代码，您一定会了解工作流程是怎样的。

有关基于订阅的购买和一次性购买的更多信息，请访问 Android 网站。