Verify Android in-app purchases with Google Checkout?

3
votes

I'm putting an app up on Google Play (fmr. Android Market) and now i'm working on the in-app billing feature. The Android docs say you should do this by verifying the signature of the transaction with your public key, but i'm wondering if retrieving the order information with the Google Checkout API would be easier. Something like the following:

OLD WAY

  1. Android customer purchases something on the market
  2. Market sends response to phone with nonce,signature,transactionid,etc
  3. Android phone, or remote server verifies the transaction using the nonce (generated earlier) and the signature.
  4. If the transaction was verified, the purchase was valid, credit customer with item.

MY WAY

  1. Android customer purchases something on the market
  2. Market sends response to phone with nonce,signature,transactionid,etc
  3. Android phone sends request to remote server with transactionid
  4. Remote server sends a request to the google checkout API for an order with the transactionid, and verifies that the transaction has cleared.
  5. If the transaction has cleared, credit customer with item

Is this possible?

2
androidgoogle-app-enginegoogle-checkoutin-app-billing

2 Answers

1
votes

Probably. Google Checkout API is not available everywhere though. If you have a merchant key, you should be able to use it, but the key is not available for most countries. You will need to contact yet one more server, but sounds like it should work. The question is, why haven't you tried yet?

1
votes

Your way seems pretty easily spoofable to me. For something as critical as billing, I'd go with the recommended approach. It's been thought out.