[英]Android billing - Testing purchases with android.test.purchased in production/alpha/beta
I'm using Google Play billing API (v3) and I'm testing in-app purchases with sku=android.test.purchased
. 我正在使用Google Play结算API(v3),并且正在使用
sku=android.test.purchased
测试应用内购买。 To do this, I have modified the method Security.verifyPurchase
from the helper classes like this: 为此,我从助手类修改了
Security.verifyPurchase
方法,如下所示:
public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature, String sku) {
if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey) || TextUtils.isEmpty(signature)) {
Log.e(TAG, "Purchase verification failed: missing data.");
if ("android.test.purchased".equals(sku) || BuildConfig.DEBUG) {
Log.e(TAG, "This was a test purchase");
return true;
}
return false;
}
PublicKey key = Security.generatePublicKey(base64PublicKey);
return Security.verify(key, signedData, signature);
}
My code is a little different from the that in the tutorials I've found: I added this: 我的代码与我发现的教程中的代码略有不同:我添加了以下代码:
"android.test.purchased".equals(sku)
Initially, only the verification for BuildConfig.DEBUG
was added, but I needed to give testing users the possibility to buy products quickly, without adding their payment data. 最初,仅添加了对
BuildConfig.DEBUG
的验证,但是我需要让测试用户可以快速购买产品,而无需添加他们的付款数据。
My question is: is there a big security problem if I'll use this code in my production app (or is it OK just for alpha / beta)? 我的问题是:如果我在生产应用中使用此代码,是否会遇到很大的安全问题(或者仅对于alpha / beta来说还可以)?
This modification is definitely not OK for production version because it disables response verification. 对于生产版本,此修改绝对不可行,因为它会禁用响应验证。 If an attacker provides no
base64PublicKey
, signedData
, signature
and the test sku
you have in your code, then your app will allow to use in-app features in production without actually paying for them. 如果攻击者没有提供
base64PublicKey
, signedData
, signature
和测试sku
您在代码中有,那么你的应用程序将允许使用应用程式功能,在生产中实际上不为他们支付。
If in DEBUG version you want to allow all sku's
, just remove your check. 如果在DEBUG版本中,您想允许所有
sku's
,只需删除您的支票即可。 If you want to allow your sku
only, use &&
operator or the code below. 如果只想允许您的
sku
,请使用&&
运算符或以下代码。
if (BuildConfig.DEBUG) {
Log.e(TAG, "This was a test purchase");
return "android.test.purchased".equals(sku);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.