Security Best Practices

As you design your In-app Billing implementation, be sure to follow the security best practices that are discussed in this document. These guidelines are recommended for anyone who is using Google Play's In-app Billing service.

Validating purchase details

It's highly recommended to validate purchase details on a server that you trust. If you cannot use a server, however, it's still possible to validate these details within your app on a device.

Validate on a server

By implementing your signature verification logic on a server, you make it difficult for attackers to reverse-engineer your APK file. This preserves the integrity of the signatures that your logic checks.

To validate purchase details on a trusted server, complete the following steps:

  1. Ensure that the device-server handshake is secure.
  2. Check the returned data signature and the orderId, and verify that the orderId is a unique value that you have not previously processed.
  3. Verify that your app's key has signed the INAPP_PURCHASE_DATA that you process.
  4. Validate purchase responses using the ProductPurchase resource (for in-app products) or the SubscriptionPurchase resource (for subscriptions) from the Google Play Developer API. This step is particularly useful because attackers cannot create mock responses to your Play Store purchase requests.

Protecting your unlocked content

To prevent malicious users from redistributing your unlocked content, do not bundle it in your APK file. Instead, do one of the following:

  • Use a real-time service to deliver your content, such as a content feed. Delivering content through a real-time service allows you to keep your content fresh.
  • Use a remote server to deliver your content.

When you deliver content from a remote server or a real-time service, you can store the unlocked content in device memory or store it on the device's SD card. If you store content on an SD card, be sure to encrypt the content and use a device-specific encryption key.

Taking action against trademark and copyright infringement

If you are using a remote server to deliver or manage content, have your application verify the purchase state of the unlocked content whenever a user accesses the content. This allows you to revoke use when necessary and minimize piracy.

If you see your content being redistributed on Google Play, act quickly and decisively. For more details, see the Frequently Asked Copyright Questions page in the Copyright Help Center.