How to process RTDN from Google Play?

Question

My server receives a real-time developer notifications (RTDN) from Google Play. Now what?

How to check whether RTDN by Google Play comes from Google, not from a hacker? Suppose I use purchases.products.get API to check it. Then a hacker could send me repeated RTDN, what would lead my server into thinking that purchase happened two times (when it was really one time).

I want my server to top the user account on every purchase from my app. I want the amount of purchase to be arbitrary (specified by the user). Should I include the amount in dollars into product productId/SKU like: credit-$0.78?

Also, it is unclear how to determine the installation ID of the app (a UUID I store in app data on installation) for which the purchase was done. Should I include the UUID in productId/SKU?

Answer 1

Quoting https://developer.android.com/google/play/billing/security

A special case of sensitive data and logic that should be handled in the backend is purchase verification. After a user has made a purchase, you should do the following:

1. Send the corresponding purchaseToken to your backend. This means that you should maintain a record of all purchaseToken values for all purchases.
2. Verify that the purchaseToken value for the current purchase does not match any previous purchaseToken values. purchaseToken is globally unique, so you can safely use this value as a primary key in your database.
3. Use the Purchases.products:get or Purchases.subscriptionsv2:get endpoints in the Google Play Developer API to verify with Google that the purchase is legitimate.
4. If the purchase is legitimate and has not been used in the past, you can then safely grant entitlement to the in-app item or subscription.

[skipping about verification of subscriptions]