Server-side verification of Android Market Licensing responses with PHP

7
votes

I'm building a server to test all my in-app purchases of Android market. But I don't think that I'm sending the information from the app correctly. My server is built in PHP.

My app access the url:

...&response={...json...}&signature={...signature...}

The signature is previously encoded with URLEncoder.encode(signature,"UTF-8")

My server:

$response = $_GET["response"];
$signature = htmlspecialchars(urldecode($_GET["signature"]));

And then I execute the verification process. I think the problem comes from the way that I'm passing the arguments from the app to server, because if I copy the response and signature manually and test them, the verification function says that they are valid.

URL:

...&response={"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16 Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.aceventura3","purchaseTime":1331037005000,"purchaseState":0,"developerPayload":"Ace Ventura 3"}]}&signature=EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi%2Bd1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8%2FN7p41euzb1n1%2FgZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs%2Bl0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS%2B4LG1YxmJIsxhJnOcmNI7n2VKUdtn%2B0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg%3D%3D

Vardump

Response

string '{"nonce":-871647007848398655,"orders":[{"orderId":"768142460571407","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.flyboys","purchaseTime":1330090436000,"purchaseState":0,"developerPayload":"Flyboys"},{"orderId":"203523162686707","packageName":"net.xxx.aaa","productId":"net.xxx.mmf.16blocks","purchaseTime":1330511533000,"purchaseState":0,"developerPayload":"16 Blocks"},{"orderId":"328483664834399","packageName":"net.xxx.aaa","productId":"net.xxx'... (length=617)

Signature

string 'EyT9IgZeq2OLRqCtabTIc5wOKARtdHUfCQAdkEqkGyi d1qQgcfxPnvIa9VMDQqwh8rxxGPOYQKuhaEuZUJzbSain8/N7p41euzb1n1/gZkgqXlQTDn076U2AXcp1ymBFZamrwETo0gkZi4q6PZV47oR7Rk28vPU5vjs l0TN0DdlzclHuH40CkZqD1ErSMMwWGTGR6bGnJlmmhgHC2KV7Ab63i0hdgkqk5MOtkOxhjS 4LG1YxmJIsxhJnOcmNI7n2VKUdtn 0CWxO5M8m0BcfpZ9Se3sR6ZtVli2rS1KSKQPL1Td9GWPhmG4nvzZFtKCqf9Le6Meudv6iFTSw5Hg==' (length=344)

1
javaphpandroidencodingin-app-purchase
Run some test data and give an example of the input data, the full URL that your app is posting to and a var_dump() of $response and $signature after it's received by the server. The encode/decode might be munging the data.Justin ᚅᚔᚈᚄᚒᚔ
I don't think that the problem is connected with the response. Because I match manually the response from $_GET and the json and the server receives the same. So I think the problem is related with the signature...Adelino
I also notice that the signature that the server fetch has someone blank spaces, but even if I cut these blank spaces, it still doesn't match the signature.Adelino
I already found the problem, if I encode the signature in the android app I don't need to decode in the server.Adelino

1 Answers

1
votes

When using URL Encode php will automatic decode data so if your re-decoding it it's going to break something, I have had this problem before

URL encoding is for the browser so stuff like & in a string sent though get does not act as new parameter in GET

so for you code htmlspecialchars(urldecode($_GET["signature"])); should be htmlspecialchars($_GET["signature"]);

I know this has been answered by comments but Added answer for Googlers