From ce4027bd2db67ceacd4bd4263d5054a7b81791aa Mon Sep 17 00:00:00 2001 From: quddusc Date: Fri, 29 Mar 2013 15:32:38 -0700 Subject: docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447 Change-Id: Ifc5556dc096065e59d34f6cde8fde2b64e5b200e --- docs/html/google/play/billing/billing_integrate.jd | 29 ++++++++++++++++++++++ docs/html/google/play/billing/billing_reference.jd | 4 ++- 2 files changed, 32 insertions(+), 1 deletion(-) (limited to 'docs/html/google/play/billing') diff --git a/docs/html/google/play/billing/billing_integrate.jd b/docs/html/google/play/billing/billing_integrate.jd index 3365cfc..57227a8 100755 --- a/docs/html/google/play/billing/billing_integrate.jd +++ b/docs/html/google/play/billing/billing_integrate.jd @@ -19,6 +19,7 @@ parent.link=index.html
  • Implementing Subscriptions
    • +
  • Securing Your App

    Reference

      @@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp", the user. Once a subscription expires without renewal, it will no longer appear in the returned {@code Bundle}.

      +

      Securing Your Application

      + +

      To help ensure the integrity of the transaction information that is sent to +your application, Google Play signs the JSON string that contains the response +data for a purchase order. Google Play uses the private key that is associated +with your application in the Developer Console to create this signature. The +Developer Console generates an RSA key pair for each application.

      + +

      Note:To find the public key portion of this key +pair, open your application's details in the Developer Console, then click on +Services & APIs, and look at the field titled +Your License Key for This Application.

      + +

      The Base64-encoded RSA public key generated by Google Play is in binary +encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public +key that is used with Google Play licensing.

      + +

      When your application receives this signed response you can +use the public key portion of your RSA key pair to verify the signature. +By performing signature verification you can detect responses that have +been tampered with or that have been spoofed. You can perform this signature +verification step in your application; however, if your application connects +to a secure remote server then we recommend that you perform the signature +verification on that server.

      + +

      For more information about best practices for security and design, see Security and Design.

      + diff --git a/docs/html/google/play/billing/billing_reference.jd b/docs/html/google/play/billing/billing_reference.jd index 1410e65..e168d70 100755 --- a/docs/html/google/play/billing/billing_reference.jd +++ b/docs/html/google/play/billing/billing_reference.jd @@ -143,7 +143,9 @@ does not include tax. {@code INAPP_DATA_SIGNATURE} - String containing the signature of the purchase data that was signed with the private key of the developer. + String containing the signature of the purchase data that was signed +with the private key of the developer. The data signature uses the +RSASSA-PKCS1-v1_5 scheme.

      -- cgit v1.1