diff options
Diffstat (limited to 'docs/html/google/play/billing/billing_integrate.jd')
| -rwxr-xr-x | docs/html/google/play/billing/billing_integrate.jd | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/docs/html/google/play/billing/billing_integrate.jd b/docs/html/google/play/billing/billing_integrate.jd index 3365cfc..57227a8 100755 --- a/docs/html/google/play/billing/billing_integrate.jd +++ b/docs/html/google/play/billing/billing_integrate.jd @@ -19,6 +19,7 @@ parent.link=index.html <li><a href="#Subs">Implementing Subscriptions</a><li> </ol> </li> + <li><a href="#billing-security">Securing Your App</a> </ol> <h2>Reference</h2> <ol> @@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp", the user. Once a subscription expires without renewal, it will no longer appear in the returned {@code Bundle}.</p> +<h2 id="billing-security">Securing Your Application</h2> + +<p>To help ensure the integrity of the transaction information that is sent to +your application, Google Play signs the JSON string that contains the response +data for a purchase order. Google Play uses the private key that is associated +with your application in the Developer Console to create this signature. The +Developer Console generates an RSA key pair for each application.<p> + +<p class="note"><strong>Note:</strong>To find the public key portion of this key +pair, open your application's details in the Developer Console, then click on +<strong>Services & APIs</strong>, and look at the field titled +<strong>Your License Key for This Application</strong>.</p> + +<p>The Base64-encoded RSA public key generated by Google Play is in binary +encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public +key that is used with Google Play licensing.</p> + +<p>When your application receives this signed response you can +use the public key portion of your RSA key pair to verify the signature. +By performing signature verification you can detect responses that have +been tampered with or that have been spoofed. You can perform this signature +verification step in your application; however, if your application connects +to a secure remote server then we recommend that you perform the signature +verification on that server.</p> + +<p>For more information about best practices for security and design, see <a +href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p> + |