When an IAP is processed the 'Developer Payload' cannot be changed and resigned by Google.
Allowing a new Developer Payload to be used and a new response signed by Google would *massively* increase the security of IAPs. It would be possible to lock an IAP response to a devices or do other checks. This feature is already possible on normal paid licensing using the nonce, which is part of the payload and resigned by google when checking the license. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
