如何使用Java(Servlet)验证针对应用内结算Android Market的签名数据

时间:2021-06-01 17:02:03

While implementing the in-app billing for Android application, I came across a problem.

在实施Android应用程序的应用内结算时,我遇到了一个问题。

Let me explain the scenario first
We have a content server (data server) which has the list of products.
When user selects one from the list, he can be able to purchase it.
The purchase logic runs perfectly after I put my credit card detail using my test account.
In returns I am getting a signed data in Android device.

让我首先解释一下这个场景我们有一个内容服务器(数据服务器),它有产品列表。当用户从列表中选择一个时,他就可以购买它。在使用我的测试帐户输入信用卡详细信息后,购买逻辑运行完美。在回报中,我在Android设备中获得了签名数据。

My Question is
1. Should I have to verify the signed data in Android device and then send some information or the data to Content server, which in return sends the product (I think this may not be good since there is no flow at server side to verify that the request is valid or not or more precisely; that the signature data is generated by google market or not)?
2. If I have to verify the data at server side, how can I do this? Should I have to send it to Google market (if yes, using which web service or API)?

我的问题是1.我是否必须在Android设备中验证已签名的数据,然后将一些信息或数据发送到内容服务器,然后内容服务器发送产品(我认为这可能不太好,因为服务器端没有流量验证请求是否有效或更准确;签名数据是否由谷歌市场生成)? 2.如果我必须在服务器端验证数据,我该怎么做?我是否应该将其发送到Google市场(如果是,使用哪种网络服务或API)?

Please help me to rectify this.
Thanks in advance.

请帮我纠正这个。提前致谢。

2 个解决方案

#1


3  

For your second question, hash (eg: MD5, SHA) the data and send the hash along with the data to the server. At the server, create a hash of the data and compare the hashes to verify them.

对于第二个问题,哈希(例如:MD5,SHA)数据并将哈希与数据一起发送到服务器。在服务器上,创建数据的哈希值并比较哈希值以验证它们。

#2


2  

To answer your questions you have to first create the in-app product using some sort of ID that I would then tie into a database you have on your server. Using webservices then you query your db and see if the in-app id matches the ID in you product database. Plus on top that you can use the Security Nonces and Signatures to verify. Mostly you let Google handle the products and so you will hae to model the In-App products after your DB. If you have too many products then you will have to handle it a standard way of creating mobile website ....

要回答您的问题,您必须首先使用某种ID创建应用内商品,然后将其绑定到服务器上的数据库中。使用webservices,然后查询数据库并查看应用程序内ID是否与产品数据库中的ID匹配。此外,您可以使用安全Nonce和签名进行验证。大多数情况下,您让谷歌处理这些产品,因此您需要在数据库之后对应用内产品进行建模。如果你有太多的产品,那么你将不得不以创建移动网站的标准方式处理它....

EDIT: Well when you make the request, i.e. purchase, you first do the REQUEST_PURCHASE then you launch the PendingIntent that is returned by the Market. Then you you handle the broadcasts intents that are sent by Market. You specify four keys in the request then make a purchase request:

编辑:当您提出请求(即购买)时,首先执行REQUEST_PURCHASE,然后启动市场返回的PendingIntent。然后你就可以处理Market发送的广播意图了。您在请求中指定了四个密钥,然后发出购买请求:

  Bundle request = makeRequestBundle("REQUEST_PURCHASE");
  request.putString(ITEM_ID, mProductId);

  // Note that the developer payload is optional.
  if (mDeveloperPayload != null) {
      request.putString(DEVELOPER_PAYLOAD, mDeveloperPayload);
      Bundle response = mService.sendBillingRequest(request);
      // Do something with this response.
  }

Then you have to use the PendingIntent to launch the checkoutUI (careful of the 1.6 to 2.0 differences where 1.6 requires this be launched separate from the Activity). take a look at the PurchaseObserver.java in the Google examples.

然后你必须使用PendingIntent来启动checkoutUI(小心1.6到2.0的差异,其中1.6要求它与Activity分开启动)。看一下Google示例中的PurchaseObserver.java。

"The Android Market application sends a RESPONSE_CODE broadcast intent, which provides error information about the request. If the request does not generate an error, the RESPONSE_CODE broadcast intent returns RESULT_OK, which indicates that the request was successfully sent. (To be clear, a RESULT_OK response does not indicate that the requested purchase was successful; it indicates that the request was sent successfully to Android Market.)"

“Android Market应用程序发送RESPONSE_CODE广播意图,提供有关请求的错误信息。如果请求未生成错误,则RESPONSE_CODE广播意图返回RESULT_OK,表示请求已成功发送。(要清楚,a RESULT_OK响应并不表示请求的购买成功;它表示请求已成功发送到Android电子市场。)“

#1


3  

For your second question, hash (eg: MD5, SHA) the data and send the hash along with the data to the server. At the server, create a hash of the data and compare the hashes to verify them.

对于第二个问题,哈希(例如:MD5,SHA)数据并将哈希与数据一起发送到服务器。在服务器上,创建数据的哈希值并比较哈希值以验证它们。

#2


2  

To answer your questions you have to first create the in-app product using some sort of ID that I would then tie into a database you have on your server. Using webservices then you query your db and see if the in-app id matches the ID in you product database. Plus on top that you can use the Security Nonces and Signatures to verify. Mostly you let Google handle the products and so you will hae to model the In-App products after your DB. If you have too many products then you will have to handle it a standard way of creating mobile website ....

要回答您的问题,您必须首先使用某种ID创建应用内商品,然后将其绑定到服务器上的数据库中。使用webservices,然后查询数据库并查看应用程序内ID是否与产品数据库中的ID匹配。此外,您可以使用安全Nonce和签名进行验证。大多数情况下,您让谷歌处理这些产品,因此您需要在数据库之后对应用内产品进行建模。如果你有太多的产品,那么你将不得不以创建移动网站的标准方式处理它....

EDIT: Well when you make the request, i.e. purchase, you first do the REQUEST_PURCHASE then you launch the PendingIntent that is returned by the Market. Then you you handle the broadcasts intents that are sent by Market. You specify four keys in the request then make a purchase request:

编辑:当您提出请求(即购买)时,首先执行REQUEST_PURCHASE,然后启动市场返回的PendingIntent。然后你就可以处理Market发送的广播意图了。您在请求中指定了四个密钥,然后发出购买请求:

  Bundle request = makeRequestBundle("REQUEST_PURCHASE");
  request.putString(ITEM_ID, mProductId);

  // Note that the developer payload is optional.
  if (mDeveloperPayload != null) {
      request.putString(DEVELOPER_PAYLOAD, mDeveloperPayload);
      Bundle response = mService.sendBillingRequest(request);
      // Do something with this response.
  }

Then you have to use the PendingIntent to launch the checkoutUI (careful of the 1.6 to 2.0 differences where 1.6 requires this be launched separate from the Activity). take a look at the PurchaseObserver.java in the Google examples.

然后你必须使用PendingIntent来启动checkoutUI(小心1.6到2.0的差异,其中1.6要求它与Activity分开启动)。看一下Google示例中的PurchaseObserver.java。

"The Android Market application sends a RESPONSE_CODE broadcast intent, which provides error information about the request. If the request does not generate an error, the RESPONSE_CODE broadcast intent returns RESULT_OK, which indicates that the request was successfully sent. (To be clear, a RESULT_OK response does not indicate that the requested purchase was successful; it indicates that the request was sent successfully to Android Market.)"

“Android Market应用程序发送RESPONSE_CODE广播意图,提供有关请求的错误信息。如果请求未生成错误,则RESPONSE_CODE广播意图返回RESULT_OK,表示请求已成功发送。(要清楚,a RESULT_OK响应并不表示请求的购买成功;它表示请求已成功发送到Android电子市场。)“