I've recently implemented in-app purchases in my app using the follow server-side conversation to check receipts from Google Play(let's call my server Fngopt):
1) Ask Fngopt server for a nonce code. On the server register this code was generated. 2) Generate a purchase request to Google Play with this nonce. 3) when I obtain a signed receipt I check it on the server and make sure that it contains a nonce Fngopt served out Now my problem is that I originally wanted to build an additional layer of security by making sure the receipt was also using a recent timestamp, basically trying to give receipts a sell-by-date. However the restore-purchased-items feature returns a receipt with a timestamp of the original purchase date. So is this hacking scenario applicable: Hack my app or create a fake DNS server to intercept the receipt being exchanged during a purchase. You can then create a new app which bypasses the Play store and simply sends this receipt over and over. You can then sell this app as a cracked copy of the original where you don't have to pay for in-app purchases at all. This was recently successfully achieved on IOS 5.x (patched in 6.0) not quite in the same way however the principle is the same. A receipt cannot be tied to an account and therefore can be reused by anyone. Any thoughts appreciated thanks. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/6S253s270qAJ. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
