New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promo codes breaks remote server verification #7
Comments
@PaulRashidi I know this isn't going to be a quick fix, but this is a problem I'd like to know the solution for as well. Promo Codes are going to (soon) play a huge role in a couple projects I'm working on, and I'd love to be able to verify purchasers who use them. |
The issue was posted to Stackoverflow on February 13th: Google Play developer support was contacted on March 10th, given ticket [6-6452000010628], still no answer. |
Thanks, give us a few days then feel free to ping again if we haven't responded yet. |
Hi @PaulRashidi, we are also facing this issue. I acknowledge that a promo code can be redeemed in the GP store and that there is no way to attach a developerPayload - would it be possible to receive the promo code in the receipt? This information can then be used to cross-check against a finite list of codes we have our end. At present there doesn't seem to be any way to differentiate between a cash purchase and a promo code redemption, other than the missing dev payload and orderId. Thanks! |
@PaulRashidi yet another month has passed without any response to neither ticket, stackoverflow or here. Any progress, or is the issue buried? |
Hello, I'm not purposefully ignoring this, but there's an event in a few days that has been consuming all of my time lately. Please ping your ticket and I'll get back to this shortly after I/O. |
we are having this issue too. Hope to get the fix ASAP. |
Is it possible to propose a test in a PR that simulates the issue? |
For information another StackOverflow post has been created in January: http://stackoverflow.com/questions/34979420/in-app-purchases-made-via-promo-codes-return-empty-developer-payload-string |
In my case, I just wish that when I redeem the promocode in the game purchases, it will just return success as normal items with the developer payload string that i passed in, so that I won't be needed to ask the player to restart the game and load the in app purchases from GetPurchases function, this seems more seamless and flawless as a player. |
I managed to make sales in a test application, but I can not add a product in my main application, I always get a message saying "The requested item is not available for sale." Has anyone ever experienced this? |
Any update on this, @PaulRashidi? |
@PaulRashidi probably you are really not purposefully ignoring this issue but it seems like that. Meanwhile half year passed and we still have no any workaround or information about regular fix. |
I also provided some details here: http://stackoverflow.com/questions/39112132/android-google-play-promotion-code-for-inapp-billing. As you can see |
Developer payload is the main defence against fake purchases. (As suggested by Google guy @netomarin here https://www.youtube.com/watch?v=tRpGcA4IM5Q) Now that purchases using promo code do not return developer payload even if the purchase is initiated within app, there is no defence against fake purchases. Developer payload should be returned irrespective of payment method (credit card or promo code). If the redeeming of promo code happens through play store, we could be asked to provide static developer payload through developer console. So it is easy for google play to provide developer payload in any scenario. Google, Are you working on this critical issue? |
Any update on this? |
@google any update on this? We are in Oct 2016 end and still no update... |
Finally had a live chat with Google team, shared this link and here is what they said.. |
While we all are waiting for fix - do you have any temporary solution for this problem? I don't see any possibility to check if payment was done with credit card or promo code... Do you bypass payload check for this moment? |
@ekstro There's no workaround. Just don't release promo codes. If you do, the app will be much easier for pirates to bypass, since you will never be able to verify (promo) licenses, ever again. |
Any updates on this? |
@PaulRashidi any updates on this? This bug makes the IAP developer payload useless at the moment. |
Hi First, thanks for all that commented this issue. As you can see in our documentation, on the page Implementing In-app Billing (https://developer.android.com/google/play/billing/billing_integrate.html) we've added a recommendation: Caution: Don't use the developerPayload field for security validation purposes. This field isn't always available when completing tasks related to In-app Billing. For more information about security best practices, see the In-app Billing Security and Design guide. Our recommendation is to validate on your own backend, using the Play Developer API. Thanks |
@netomarin You've seem to have missed a paragraph in the billing documentation: |
@henrik-lindqvist the paragraph just explain that is a good practice to check if the developerPayload received, "matches the token that you sent previously with the purchase request". |
@netomarin I'm confused. If developerPayload isn't supported across all features, how can it be good practice checking it? Either we can rely on and enforce a matching developerPayload, or we can not. Only checking responses which has a developerPayload seems useless since pirates will just mock a response without it. |
@henrik-lindqvist it's no recommended to use as security feature, but you can use it for any other reason you want, so, if you use, it's a good practice to check if it matches. |
Security rule number 1. |
Releasing promo codes for in-app purchases will (forever) prevent an app from using remote server purchase verification!
When a promo code is used for an in-app purchase (the PURCHASES_UPDATED intent) it will completely bypass the purchase flow so the app can't supply an "developerPayload", used for remote verification:
http://developer.android.com/google/play/billing/billing_best_practices.html#payload
Later when the app call getPurchases() to get owner products, the purchase data for promo purchases won't contain a "developerPayload" of course, but neither an "orderId", also used for remote verification using the Google Play Developer API:
https://developers.google.com/android-publisher/api-ref/purchases/products
How is an app supposed to verify in-app purchases made with promo codes?
Allowing users to redeem promo codes through the Google Play Store app, thus bypassing the purchase flow, seems like an major oversight which shouldn't be possible.
The text was updated successfully, but these errors were encountered: