I'm only familiar with the new v3 of the billing API. However, the way to do it there is this:
1. Include an user ID in the *developerPayload *field, additionally to an random string. The full string for *developerPayload *is stored by your server, so you can check for it when you get the purchase data from Google Play. 2. Make sure the orderId was not used before. You have to log all orders in a database. 3. Check the signature of course. Quote from http://developer.android.com/google/play/billing/billing_integrate.html > *Security Recommendation:* When you send a purchase request, create a > String token that uniquely identifies this purchase request and include > this token in the developerPayload.You can use a randomly generated > string as the token. When you receive the purchase response from Google > Play, make sure to check the returned data signature, the orderId, and > the developerPayload String. For added security, you should perform the > checking on your own secure server. Make sure to verify that the orderIdis a > unique value that you have not previously processed, and the > developerPayload String matches the token that you sent previously with > the purchase request. > In case you still use v2 of the API, it shouldn't be that different there. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
