am a6eaec81: am dd50e98c: am f634d6a2: am c0050433: Merge "docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447" into jb-mr1.1-docs

* commit 'a6eaec812f1d0d2d551d0d98b67bb22cfc26c31a':
  docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447

6 files changed, 61 insertions, 37 deletions

diff --git a/docs/html/google/play/billing/billing_integrate.jd b/docs/html/google/play/billing/billing_integrate.jd
index 3365cfc..57227a8 100644
--- a/docs/html/google/play/billing/billing_integrate.jd
+++ b/docs/html/google/play/billing/billing_integrate.jd
@@ -19,6 +19,7 @@ parent.link=index.html
        <li><a href="#Subs">Implementing Subscriptions</a><li>
        </ol>
     </li>
+    <li><a href="#billing-security">Securing Your App</a>
   </ol>
   <h2>Reference</h2>
   <ol>
@@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp",
 the user. Once a subscription expires without renewal, it will no longer appear 
 in the returned {@code Bundle}.</p>
 
+<h2 id="billing-security">Securing Your Application</h2>
+
+<p>To help ensure the integrity of the transaction information that is sent to 
+your application, Google Play signs the JSON string that contains the response 
+data for a purchase order. Google Play uses the private key that is associated 
+with your application in the Developer Console to create this signature. The 
+Developer Console generates an RSA key pair for each application.<p>
+
+<p class="note"><strong>Note:</strong>To find the public key portion of this key 
+pair, open your application's details in the Developer Console, then click on 
+<strong>Services & APIs</strong>, and look at the field titled 
+<strong>Your License Key for This Application</strong>.</p>
+
+<p>The Base64-encoded RSA public key generated by Google Play is in binary 
+encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public 
+key that is used with Google Play licensing.</p>
+
+<p>When your application receives this signed response you can 
+use the public key portion of your RSA key pair to verify the signature. 
+By performing signature verification you can detect responses that have 
+been tampered with or that have been spoofed. You can perform this signature 
+verification step in your application; however, if your application connects 
+to a secure remote server then we recommend that you perform the signature 
+verification on that server.</p>
+
+<p>For more information about best practices for security and design, see <a
+href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p>
+
 
 
 
diff --git a/docs/html/google/play/billing/billing_reference.jd b/docs/html/google/play/billing/billing_reference.jd
index 1410e65..e168d70 100644
--- a/docs/html/google/play/billing/billing_reference.jd
+++ b/docs/html/google/play/billing/billing_reference.jd
@@ -143,7 +143,9 @@ does not include tax.</td>
   </tr>
   <tr>
     <td>{@code INAPP_DATA_SIGNATURE}</td>
-    <td>String containing the signature of the purchase data that was signed with the private key of the developer.</td>
+    <td>String containing the signature of the purchase data that was signed 
+with the private key of the developer. The data signature uses the 
+RSASSA-PKCS1-v1_5 scheme.</td>
   </tr>
 </table>
 </p>
diff --git a/docs/html/google/play/licensing/adding-licensing.jd b/docs/html/google/play/licensing/adding-licensing.jd
index 3f2460f..93561f6 100644
--- a/docs/html/google/play/licensing/adding-licensing.jd
+++ b/docs/html/google/play/licensing/adding-licensing.jd
@@ -853,37 +853,39 @@ sample application calls <code>checkAccess()</code> from a
 
 <h3 id="account-key">Embed your public key for licensing</h3>
 
-<p>For each publisher account, the Google Play service automatically
-generates a  2048-bit RSA public/private key pair that is used exclusively for
-licensing. The key pair is uniquely associated with the publisher account and is
-shared across all applications that are published through the account. Although
-associated with a publisher account, the key pair is <em>not</em> the same as
-the key that you use to sign your applications (or derived from it).</p>
+<p>For each application, the Google Play service automatically
+generates a  2048-bit RSA public/private key pair that is used for 
+licensing and in-app billing. The key pair is uniquely associated with the 
+application. Although associated with the application, the key pair is 
+<em>not</em> the same as the key that you use to sign your applications (or derived from it).</p>
 
 <p>The Google Play Developer Console exposes the public key for licensing to any
-developer signed in to the publisher account, but it keeps the private key
+developer signed in to the Developer Console, but it keeps the private key
 hidden from all users in a secure location. When an application requests a
 license check for an application published in your account, the licensing server
-signs the license response using the private key of your account's key pair.
+signs the license response using the private key of your application's key pair.
 When the LVL receives the response, it uses the public key provided by the
 application to verify the signature of the license response. </p>
 
-<p>To add licensing to an application, you must obtain your publisher account's
+<p>To add licensing to an application, you must obtain your application's
 public key for licensing and copy it into your application. Here's how to find
-your account's public key for licensing:</p>
+your application's public key for licensing:</p>
 
 <ol>
 <li>Go to the Google Play <a
 href="http://play.google.com/apps/publish">Developer Console</a> and sign in.
 Make sure that you sign in to the account from which the application you are
 licensing is published (or will be published). </li>
-<li>In the account home page, locate the "Edit profile" link and click it. </li>
-<li>In the Edit Profile page, locate the "Licensing" pane, shown below. Your
-public key for licensing is given in the "Public key" text box. </li>
+<li>In the application details page, locate the <strong>Services & APIs</strong> 
+link and click it. </li>
+<li>In the <strong>Services & APIs</strong> page, locate the 
+<strong>Licensing & In-App Billing</strong> section. Your public key for 
+licensing is given in the 
+<strong>Your License Key For This Application</strong> field. </li>
 </ol>
 
 <p>To add the public key to your application, simply copy/paste the key string
-from the text box into your application as the value of the String variable
+from the field into your application as the value of the String variable
 <code>BASE64_PUBLIC_KEY</code>. When you are copying, make sure that you have
 selected the entire key string, without omitting any characters. </p>
 
@@ -965,16 +967,6 @@ application that they have legitimately purchased on another device.</li>
 </ul>
 </div>
 
-
-
-
-
-
-
-
-
-
-
 <h2 id="app-obfuscation">Obfuscating Your Code</h2>
 
 <p>To ensure the security of your application, particularly for a paid
diff --git a/docs/html/google/play/licensing/index.jd b/docs/html/google/play/licensing/index.jd
index a13be10..6632fc0 100644
--- a/docs/html/google/play/licensing/index.jd
+++ b/docs/html/google/play/licensing/index.jd
@@ -16,7 +16,7 @@ restrict use of the application to a specific device, in addition to any other c
 
 <p>The licensing service is a secure means of controlling access to your applications. When an
 application checks the licensing status, the Google Play server signs the licensing status
-response using a key pair that is uniquely associated with the publisher account. Your application
+response using a key pair that is uniquely associated with the application. Your application
 stores the public key in its compiled <code>.apk</code> file and uses it to verify the licensing
 status response.</p>
 
diff --git a/docs/html/google/play/licensing/licensing-reference.jd b/docs/html/google/play/licensing/licensing-reference.jd
index 4240097..7bfa61a 100644
--- a/docs/html/google/play/licensing/licensing-reference.jd
+++ b/docs/html/google/play/licensing/licensing-reference.jd
@@ -186,7 +186,7 @@ licensing server, possibly because of network availability problems. </td>
 </tr>
 <tr>
 <td>{@code ERROR_SERVER_FAILURE}</td>
-<td>Server error &mdash; the server could not load the publisher account's key
+<td>Server error &mdash; the server could not load the application's key
 pair for licensing.</td>
 <td>No</td>
 <td></td>
diff --git a/docs/html/google/play/licensing/overview.jd b/docs/html/google/play/licensing/overview.jd
index 2434a4c..4e1a9c9 100644
--- a/docs/html/google/play/licensing/overview.jd
+++ b/docs/html/google/play/licensing/overview.jd
@@ -38,13 +38,13 @@ the licensing server and receives the result. The Google Play application sends
 the result to your application, which can allow or disallow further use of the
 application as needed.</p>
 
-<p class="note"><strong>Note:</strong> If a paid application has been uploaded to Google Play but
-saved only as a draft application (the app is unpublished), the licensing server considers all users
-to be licensed users of the application (because it's not even possible to purchase the app).
-This exception is necessary in order for you to perform testing of your licensing
+<p class="note"><strong>Note:</strong> If a paid application has been uploaded 
+to Google Play, but saved only as a draft application (the app is 
+unpublished), the licensing server considers all users to be licensed users of 
+the application (because it's not even possible to purchase the app). This 
+exception is necessary in order for you to perform testing of your licensing 
 implementation.</p>
 
-
 <div class="figure" style="width:469px">
 <img src="{@docRoot}images/licensing_arch.png" alt=""/>
 <p class="img-caption"><strong>Figure 1.</strong> Your application initiates a
@@ -102,10 +102,11 @@ response data using an RSA key pair that is shared exclusively between the Googl
 server and you.</p>
 
 <p>The licensing service generates a single licensing key pair for each
-publisher account and exposes the public key in your account's profile page. You must copy the
-public key from the web site and embed it in your application source code. The server retains the
-private key internally and uses it to sign license responses for the applications you
-publish with that account.</p>
+application and exposes the public key in your application's 
+<strong>Services & APIs</strong> page in the Developer Console. You must copy 
+the public key from the Developer Console and embed it in your application 
+source code. The server retains the private key internally and uses it to sign 
+license responses for the applications you publish with that account.</p>
 
 <p>When your application receives a signed response, it uses the embedded public
 key to verify the data. The use of public key cryptography in the licensing
@@ -221,7 +222,7 @@ gives you wider distribution potential for your applications. </p>
 <p>Licensing lets you move to a license-based model that is enforceable on
 all devices that have access to Google Play. Access is not bound to the
 characteristics of the host device, but to your
-publisher account on Google Play (through the app's public key) and the
+application on Google Play (through the app's public key) and the
 licensing policy that you define. Your application can be installed and
 managed on any device on any storage, including SD card.</p>