diff options
Diffstat (limited to 'docs/html/google/play/billing')
| -rw-r--r-- | docs/html/google/play/billing/billing_integrate.jd | 29 | ||||
| -rw-r--r-- | docs/html/google/play/billing/billing_reference.jd | 4 |
2 files changed, 32 insertions, 1 deletions
diff --git a/docs/html/google/play/billing/billing_integrate.jd b/docs/html/google/play/billing/billing_integrate.jd index 3365cfc..57227a8 100644 --- a/docs/html/google/play/billing/billing_integrate.jd +++ b/docs/html/google/play/billing/billing_integrate.jd @@ -19,6 +19,7 @@ parent.link=index.html <li><a href="#Subs">Implementing Subscriptions</a><li> </ol> </li> + <li><a href="#billing-security">Securing Your App</a> </ol> <h2>Reference</h2> <ol> @@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp", the user. Once a subscription expires without renewal, it will no longer appear in the returned {@code Bundle}.</p> +<h2 id="billing-security">Securing Your Application</h2> + +<p>To help ensure the integrity of the transaction information that is sent to +your application, Google Play signs the JSON string that contains the response +data for a purchase order. Google Play uses the private key that is associated +with your application in the Developer Console to create this signature. The +Developer Console generates an RSA key pair for each application.<p> + +<p class="note"><strong>Note:</strong>To find the public key portion of this key +pair, open your application's details in the Developer Console, then click on +<strong>Services & APIs</strong>, and look at the field titled +<strong>Your License Key for This Application</strong>.</p> + +<p>The Base64-encoded RSA public key generated by Google Play is in binary +encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public +key that is used with Google Play licensing.</p> + +<p>When your application receives this signed response you can +use the public key portion of your RSA key pair to verify the signature. +By performing signature verification you can detect responses that have +been tampered with or that have been spoofed. You can perform this signature +verification step in your application; however, if your application connects +to a secure remote server then we recommend that you perform the signature +verification on that server.</p> + +<p>For more information about best practices for security and design, see <a +href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p> + diff --git a/docs/html/google/play/billing/billing_reference.jd b/docs/html/google/play/billing/billing_reference.jd index 1410e65..e168d70 100644 --- a/docs/html/google/play/billing/billing_reference.jd +++ b/docs/html/google/play/billing/billing_reference.jd @@ -143,7 +143,9 @@ does not include tax.</td> </tr> <tr> <td>{@code INAPP_DATA_SIGNATURE}</td> - <td>String containing the signature of the purchase data that was signed with the private key of the developer.</td> + <td>String containing the signature of the purchase data that was signed +with the private key of the developer. The data signature uses the +RSASSA-PKCS1-v1_5 scheme.</td> </tr> </table> </p> |