How to verify In app purchases in Xamarin Android?

Question

I am using Xamarin Android and Plugin.InAppBilling from https://www.nuget.org/packages/Plugin.InAppBilling . I have successfully integrated plugin in my project and able to purchase and consume the test product.

Now I want to verify purchase. Plugin has this document https://jamesmontemagno.github.io/InAppBillingPlugin/SecuringPurchases.html

What is DependencyService and how to get signedData, signature to pass to the InAppBillingSecurity.VerifyPurchase method? This issue says it doesn't require DependencyService https://github.com/jamesmontemagno/InAppBillingPlugin/issues/203

Also it is mentioned in the same document to put play store public key in below lines. So should I directly break key in three parts and paste in place of XOR_key1, XOR_key2 and XOR_key3?

    const string key1 = @"XOR_key1";
    const string key2 = @"XOR_key2";
    const string key3 = @"XOR_key3";  

I am confused and I didn't find any real time example or step by step guide. Can any one help me to understand this?

Check attached image of my code. After purchase it returns this much of parameters but not signedData, signature

Answer 1

A Dependency Service allows you to call platform specific code from the .NET Standard shared project.

The Plugin.InAppBilling already created the interface that is to be implemented on each platform, so all you have to do is implement the IInAppBillingVerifyPurchase interface in each of the platform projects. There is only one method in the interface:

Task<bool> VerifyPurchase(string signedData, string signature, string productId = null, string transactionId = null);

So basically in each platform project, you will need to add a class file like the following:

[assembly: Dependency (typeof (InAppBillingVerify))]
namespace YourPlatformProjectNameSpace
{
    public class InAppBillingVerify : IInAppBillingVerifyPurchase
    {
        const string key1 = @"XOR_key1";
        const string key2 = @"XOR_key2";
        const string key3 = @"XOR_key3";

        public Task<bool> VerifyPurchase(string signedData, string signature)
        {

#if __ANDROID__
            var key1Transform = Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.TransformString(key1, 1);
            var key2Transform = Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.TransformString(key2, 2);
            var key3Transform = Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.TransformString(key3, 3);

            return Task.FromResult(Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.VerifyPurchase(key1Transform + key2Transform + key3Transform, signedData, signature));
#else
            return Task.FromResult(true);
#endif
        }
    }

}

The above is straight from the doc you linked. You can see that the separating the key to three parts is only relevant for Android, so there are compiler directives such that the code for the key transforms will only run on Android (making sure that you have the __ANDROID__ symbol defined in the project properties for the Android project. For iOS and UWP, all it does is return true. This is fine for UWP (see below) but for iOS you might want to parse the signedData . Check Apples docs on InAppPurchases to see what you get back when you verify.

And if I am reading the document you linked correctly, then the VerifyPurchase method should be called by the plugin. And then in the plugin, the values of the parameters for the VerifyPurchase method are (from the document you linked):

iOS
    signedData: Full Receipt as a string in Base 64 Encoding
    signature: Always empty string
Android
    signedData: Purchase Data returned from Google
    signature: Data Signature returned from Google
UWP
    No additional authentication is provided.

So on iOS, signed data will be the "Full Receipt as a string in Base 64 Encoding," while signature will be empty.

On Android, signed data will be the "Purchase Data returned from Google," while signature will be the Data Signature returned from Google.

On UWP, you may as well not do anything but return true from this method, since UWP will not pass anything into this method.

For more discussion of dealing with the Android key, see this discussion .

EDIT: So it seems you need to pass in the class that implements the IInAppBillingVerifyPurchase to the PurchaseAsync method in order for the VerifyPurchase method to be called, eg:

var verify = new Verify(); 
//try to purchase item
// Here is where you pass in the class that implements IInAppBillingVerifyPurchase.VerifyPurchase method
var purchase = await CrossInAppBilling.Current.PurchaseAsync(productId, ItemType.InAppPurchase, "apppayload", verify); 
if(purchase == null)
{
    //Not purchased, may also throw excpetion to catch
}
else
{
    //Purchased!
}

And add the Verify class:

public class Verify : IInAppBillingVerifyPurchase
{
    const string key1 = @"XOR_key1";
    const string key2 = @"XOR_key2";
    const string key3 = @"XOR_key3";

    public Task<bool> VerifyPurchase(string signedData, string signature)
    {

        var key1Transform = Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.TransformString(key1, 1);
        var key2Transform = Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.TransformString(key2, 2);
        var key3Transform = Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.TransformString(key3, 3);

        return Task.FromResult(Plugin.InAppBilling.InAppBillingImplementation.InAppBillingSecurity.VerifyPurchase(key1Transform + key2Transform + key3Transform, signedData, signature));
    }
}