Search code examples
androidin-app-purchasein-app-billing

Google IAP verification has failed for many purchases

I'm using Google IAP v3 in Android app. I've implemented signature checking using GoogleIabHelper class. I'm also checking the signature on the server side with almost the same code.

In the server logs I've found a lot purchases are invalid. Here are example data for 2 valid purchases and one invalid:

Valid purchases

#1
orderId:         12399363269014736759.1358132323863451
purchaseTime:    1416079768157
purchaseToken:   olcgkklnpigiceancikanedj.AO-J1O...
dataSignature matches: yes
response from androidpublisher API: purchaseTimeMillis = 1416079768157, purchaseState = 0

#2
orderId:         12399363269014736759.1311230454123912
purchaseTime:    1415844666976
purchaseToken:   ajkaitpnfgotgkmhlboatkmc.AO-J1O...
dataSignature matches: yes
response from androidpublisher API: purchaseTimeMillis = 1415844666976, purchaseState = 0

Invalid purchase

orderId:         6246434551497330082
purchaseTime:    1415813103372
purchaseToken:   xdavcuvdnniwwrhwemleqjdz.rSQozm...
dataSignature matches: no
response from androidpublisher API: "code": 400, "message": "Invalid Value"

As you can see data of the two valid purchases look similar. Both dataSignatures are correct and the androidpublisher API returns valid data for these purchases.

Now look at the invalid purchase:

  • orderId doesn't match the pattern of valid purchases
  • purchaseTime is in the past (Wed Nov 12 2014 18:25:03 GMT+0100 (CET)) even though the purchase had been made today
  • purchaseToken prefix is different after the . (dot)
  • dataSignature doesn't match
  • androidpublisher API returns Invalid Value

Pretty sure it's invalid purchase huh? What about 2-4 purchases like this per day. I'm wondering do IAP frauds are real problem or there's problem with my code and IAP verification. Could someone share their experience with invalid purchases using Google IAP v3?

Solution

  • After digging a little deeper it turns out there are so many ways to hack IAP, but good purchase validation prevents from it (like presented in the question).

    First of all, the invalid purchases (all of them) have been made on rooted devices. I've also asked some users about their purchases and one of them agreed that he is using some apk which allows to purchase IAP items for free.

    Conclusion: everything is OK with the code, something is wrong with your users.