how can I verify signed data coming for In-App Billing Android Market using Java (Servlet)

Question

While implementing the in-app billing for Android application, I came across a problem.

Let me explain the scenario first
We have a content server (data server) which has the list of products.
When user selects one from the list, he can be able to purchase it.
The purchase logic runs perfectly after I put my credit card detail using my test account.
In returns I am getting a signed data in Android device.

My Question is
1. Should I have to verify the signed data in Android device and then send some information or the data to Content server, which in return sends the product (I think this may not be good since there is no flow at server side to verify that the request is valid or not or more precisely; that the signature data is generated by google market or not )?
2. If I have to verify the data at server side, how can I do this? Should I have to send it to Google market (if yes, using which web service or API)?

Please help me to rectify this.
Thanks in advance.

Answer 1

For your second question, hash (eg: MD5, SHA) the data and send the hash along with the data to the server. At the server, create a hash of the data and compare the hashes to verify them.

Answer 2

To answer your questions you have to first create the in-app product using some sort of ID that I would then tie into a database you have on your server. Using webservices then you query your db and see if the in-app id matches the ID in you product database. Plus on top that you can use the Security Nonces and Signatures to verify. Mostly you let Google handle the products and so you will hae to model the In-App products after your DB. If you have too many products then you will have to handle it a standard way of creating mobile website ....

EDIT: Well when you make the request, ie purchase, you first do the REQUEST_PURCHASE then you launch the PendingIntent that is returned by the Market. Then you you handle the broadcasts intents that are sent by Market. You specify four keys in the request then make a purchase request:

  Bundle request = makeRequestBundle("REQUEST_PURCHASE");
  request.putString(ITEM_ID, mProductId);

  // Note that the developer payload is optional.
  if (mDeveloperPayload != null) {
      request.putString(DEVELOPER_PAYLOAD, mDeveloperPayload);
      Bundle response = mService.sendBillingRequest(request);
      // Do something with this response.
  }

Then you have to use the PendingIntent to launch the checkoutUI (careful of the 1.6 to 2.0 differences where 1.6 requires this be launched separate from the Activity). take a look at the PurchaseObserver.java in the Google examples.

"The Android Market application sends a RESPONSE_CODE broadcast intent, which provides error information about the request. If the request does not generate an error, the RESPONSE_CODE broadcast intent returns RESULT_OK, which indicates that the request was successfully sent. (To be clear, a RESULT_OK response does not indicate that the requested purchase was successful; it indicates that the request was sent successfully to Android Market.)"