Google In-App purchase token format issue
Question
The regular Google purchase token format looks like this:
minodojglppganfbiedlabed.AO-J1OyNtpooSraUdtKlZ_9gYs0o20ZF_0ryTNACmvaaaG5EwPX0hPruUdGbE3XejoXYCYzJA2xjjAxrDLFhmu9WC4fvTDNL-RDXCWjlHKpzLOigxCr1QhScXR8uXtX8R94iV6MmMHqD
Now I got a weird token looks like this:
nmdwkbdkikkamkahxjnsnshb
which obviously came from a hacking tool. However, it becomes much weird because when you attach the suspicious token to the prefix of the valid token:
nmdwkbdkikkamkahxjnsnshb .AO-J1OyNtpooSraUdtKlZ_9gYs0o20ZF_0ryTNACmvaaaG5EwPX0hPruUdGbE3XejoXYCYzJA2xjjAxrDLFhmu9WC4fvTDNL-RDXCWjlHKpzLOigxCr1QhScXR8uXtX8R94iV6MmMHqD
The token becomes valid. It should have been invalid since the whole token did not exist or am I wrong? Does anybody experience this? Please advise. Thank you.
1 answers
solution1
1 ACCPTED 2016-03-13 11:06:15
Interesting find, your question had my curiosity so I did some digging. I had a suspicion that the prefix looks just like the the Order number you get in the email receipt from Google, so I cross checked and bingo, they are:
Purchase Token: gaaiealkdndcconacjhcmpcf.AO-J1OzF_av9Nl1ViLxR7u7vRlw7OXq32n35GkOEhrMbAfm3VV4g14IWgOg9kxFmJEF58MstHTEGRKKbS9oIPOkEy-EGzcAaItkR3P8_l7DP-6OCZVZAPO4
The order number changes each time a subscription is renewed, and sending to the API any of the order numbers I have in my email receipts with the suffix attached validates as expected. I also tried some random 24 character alpha strings and they also worked so Google must not care too much about the prefix; it's only the suffix they are interested in.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.