Best IT Recipes

In billing not working after upgrade - Google Store

I performed the In-App billing in my application - and most recently Google updated it, earlier I tested the billing in the application using "android.test.purchased" and it worked fine (buy the full version and restore the full version).

Now I took the modified classes from here https://code.google.com/p/marketbilling/source/detail?r=7bc191a004483a1034b758e1df0bda062088d840

After that I can’t test the application, it gives the following error in Logcat "IabHelper: In-app billing error: Purchase signature verification FAILED for sku android.test.purchased ".

I checked everything with my key, package name, and version of the application, did anyone encounter this problem?

Please help me with this.

+14
android billing in-app-billing in-app-purchase android-billing
Oct 23 '13 at 6:19 06:19
source share
2 answers

This is due to the verifyPurchase () method in the Security class, which has been changed in new patches. Let me show you exactly what the problem is:

Security Class Changes

OLD CODE

  public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature) { if (signedData == null) { Log.e(TAG, "data is null"); return false; } boolean verified = false; if (!TextUtils.isEmpty(signature)) { PublicKey key = Security.generatePublicKey(base64PublicKey); verified = Security.verify(key, signedData, signature); if (!verified) { Log.w(TAG, "signature does not match data."); return false; } } return true; }

New code

 public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature) { if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey) || TextUtils.isEmpty(signature)) { Log.e(TAG, "Purchase verification failed: missing data."); return false; } PublicKey key = Security.generatePublicKey(base64PublicKey); return Security.verify(key, signedData, signature); }

According to what I searched and tested from the new code,

Why is this happening because we will not receive any signature while we use a dummy product, for example "android.test.purchased". Therefore, in the old code, it works well, because we returned even if the signature is not specified, and for the new code we return false.

more information on null or blank signature data from link1 and link2

Therefore, I suggest that you simply replace the method of the old verifyPurchase () method instead of the New Code method.

I think New Code will work fine for a real product, but not in a dummy product. But so far I have not tested the real product.

Let me learn more about this, why they changed the code and what is the purpose of this.

EDIT:

BuildConfig.DEBUG will also provide you with a test purchase solution.

In the verifyPurchase field, I changed return false to:

  Log.e(TAG, "Purchase verification failed: missing data."); if (BuildConfig.DEBUG) { return true; } return false;

but you should know that use this only in a test case.

This will return true if you have a debug build and no signature data. Since BuildConfig.DEBUG will be false in the assembly, this should be OK. But it is better to remove this code after everything is debugged.

I edited some code in the verifyPurchase () method, check it below:

 public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature) { if (signedData == null) { Log.e(TAG, "data is null"); return false; } if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey) || TextUtils.isEmpty(signature)) { Log.e(TAG, "Purchase verification failed: missing data."); if (BuildConfig.DEBUG) { Log.d("DeBUG", ">>>"+BuildConfig.DEBUG); return true; } return false; } PublicKey key = Security.generatePublicKey(base64PublicKey); return Security.verify(key, signedData, signature); }

I got this from the GvS answer android in checking the purchase of the billing application.

Hope this will be helpful to you.

+29
Oct 23 '13 at
source share

I was the one who informed the Google security team about these security errors. Please be patient until I publicly disclose these errors, as I gave Google time to fix them. If no major sites write about this problem, I will disclose it with a working exploit on November 6th.

As you already looked at verifyPurchase (), the error should be obvious. If the specified signature is an empty string, the method still returns true (since it returns true by default).

+6
Oct 24 '13 at 16:42
source share


More articles:


All Articles