我正在我的应用中实现应用内结算以解锁高级功能。 应用内结算设置正确。除了“开发人员有效负载”之外,一切似乎都很好。
示例应用说明
/*
* TODO: verify that the developer payload of the purchase is correct. It will be
* the same one that you sent when initiating the purchase.
*
* WARNING: Locally generating a random string when starting a purchase and
* verifying it here might seem like a good approach, but this will fail in the
* case where the user purchases an item on one device and then uses your app on
* a different device, because on the other device you will not have access to the
* random string you originally generated.
*
* So a good developer payload has these characteristics:
*
* 1. If two different users purchase an item, the payload is different between them,
* so that one user's purchase can't be replayed to another user.
*
* 2. The payload must be such that you can verify it even when the app wasn't the
* one who initiated the purchase flow (so that items purchased by the user on
* one device work on other devices owned by the user).
*
* Using your own server to store and verify developer payloads across app
* installations is recommended.
*/
The sample app uses an empty string as developer payload. My question is what string to use as a developer payload? Can I use the user's primary email ID?
最佳答案
对我来说,随机字符串首先没有用,它需要依赖于购买它的用户,而不是购买它的设备。其次,它是非消耗品,因此空字符串可能适合,但并不理想。
所以我的解决方法是根据 key 创建加密哈希。每次购买时,它都是唯一可识别的,因为哈希值永远不会相同(这取决于哈希方法,例如 bcrypt)。
由于所有设备上的 key 都相同,因此很容易解密并验证 secret 消息是否正确。
为了让 key 保密,我使用了各种字符串操作函数来掩盖它,因此它不会以可见的方式存储。
可以在此处找到文本处理的示例:Android In App Billing: securing application public key
String Base64EncodedPublicKey key =
DecrementEachletter("Bl4kgle") + GetMiddleBit() + ReverseString("D349824");
这种基于 key 创建哈希的方法允许有效负载是唯一且可识别的,同时具有相当的安全性。它不是防弹的,但它确实很难破解。
关于android - android in-app billing v3 api中的开发人员有效负载应该是什么?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/18613520/