Android帐单-使用Production / alpha / beta中购买的android.test.purchase测试购买

Question

I'm using Google Play billing API (v3) and I'm testing in-app purchases with sku=android.test.purchased . To do this, I have modified the method Security.verifyPurchase from the helper classes like this:

public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature, String sku) {
    if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey) || TextUtils.isEmpty(signature)) {
        Log.e(TAG, "Purchase verification failed: missing data.");
        if ("android.test.purchased".equals(sku) || BuildConfig.DEBUG) {
            Log.e(TAG, "This was a test purchase");
            return true;
        }
        return false;
    }

    PublicKey key = Security.generatePublicKey(base64PublicKey);
    return Security.verify(key, signedData, signature);
}

My code is a little different from the that in the tutorials I've found: I added this:

"android.test.purchased".equals(sku)

Initially, only the verification for BuildConfig.DEBUG was added, but I needed to give testing users the possibility to buy products quickly, without adding their payment data.

My question is: is there a big security problem if I'll use this code in my production app (or is it OK just for alpha / beta)?

Answer 1

This modification is definitely not OK for production version because it disables response verification. If an attacker provides no base64PublicKey , signedData , signature and the test sku you have in your code, then your app will allow to use in-app features in production without actually paying for them.

If in DEBUG version you want to allow all sku's , just remove your check. If you want to allow your sku only, use && operator or the code below.

if (BuildConfig.DEBUG) {
    Log.e(TAG, "This was a test purchase");
    return "android.test.purchased".equals(sku);
}