Hi,
when purchasing some In-app items using Google Play I get from the
INAPP_PURCHASE_DATA field a JSON package like this one:
{
"orderId":"12999763169054705758.1371079406387615",
"packageName":"com.example.app",
"productId":"exampleSku",
"purchaseTime":1345678900000,
"purchaseState":0,
"developerPayload":"bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ",
"purchaseToken":"rojeslcdyyiapnqcynkjyyjh"
}
The obvious things one needs to check on the server are:
1. The signature needs to match.
2. The *developerPayload *needs to match the one we send to the client
before the purchase.
3. The *orderId *needs to be a new one which was not used before.
However, at least for MD5 it is possible to fake a signature if you have a
valid one and are able to insert arbitrary data somewhere. For SHA1 (which
is used by the API) this might be possible as well. Probably it's only a
matter of time. Therefore I want to make sure no one is able to insert
arbitrary data in the JSON package. It is easy to check for additional
fields and check if packageName, productId, purchaseTime and purchaseStatehave
reasonable values. Also I can make sure the JSON package doesn't
contain any comments or whitespaces.
So my actual questions are:
1. What assumptions can I make about the *orderId*? Will it always be 20
digits, a dot and again 16 digits?
2. What assumptions can I make about the* *purchaseToken? Does it always
have a specific length? Is the char set really limited to A-Z, a-z, 0-9 and
these three special chars ".-_" ?
Thanks in advance :)
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
