I am trying to implement a system to update / unlock various functions of my application using “managed” purchases with billing in the application, and I am bogged down in the absence of in-depth documentation or examples.
My application is designed to extract / analyze and display data from my own server, and the documentation at http://developer.android.com/guide/market/billing/billing_best_practices.html says:
If you use a remote server to deliver or manage content, ask the application to check the purchase status of the unlocked content whenever the user accesses the content.
My question is, what is the best way to do this in terms of the actual workflow?
As far as I can tell, with a successful purchase, I will store the purchase information on my server, as well as locally in the application. When the application starts, I sent the order identifier to my server, and the server checks whether the order is valid (first checking that the order exists in my server database, and secondly, checking whether I manually canceled the order for regardless causes).
If this is confirmed, the server will send a response to the application that the requested functions will be “licensed”, and the application will provide the user with unlocked functions / content.
The obvious problems that I see with this are:
- The root user can easily modify the local SQLITE application database (or some other method that I use to store order information) to enter the correct order ID.
- If network access is disabled or my server is disabled, I still want the application to be able to run (with cached data) all user functions.
The potential ways around the first problem that I see are related to sending a device identifier with a confirmation request and monitoring that ends on my server - canceling an order if a large number of devices access the order within a short period of time.
For the second problem, I cannot find an adequate solution. Initially, I thought that every time a check is successful, the time that was checked will be saved. Then the application will continue to work with unlocked functions, for example, 48 hours after the last successful check. The problem is, how can I safely store this time value? Again, rooted users can simply change the value, and the application will not be the best.
Has anyone designed a server system for managing in-app billing purchases and can offer some suggestions?