如何使用 Java (Servlet) 验证来自应用内计费 Android Market 的签名数据
在为Android应用程序实现应用内计费时,我遇到了一个问题。
让我先解释一下场景
我们有一个内容服务器(数据服务器),其中包含产品列表。
当用户从列表中选择一个时,他就可以购买它。
在我使用测试帐户输入信用卡详细信息后,购买逻辑完美运行。
作为回报,我在 Android 设备中获得了签名数据。
我的问题是
1.我是否必须验证Android设备中的签名数据,然后将一些信息或数据发送到内容服务器,内容服务器反过来发送产品(我认为这可能不好,因为没有服务器端的流程来验证请求是否有效或者更准确地说验证签名数据是否由 google market 生成)?
2. 如果我必须在服务器端验证数据,我该怎么做?我是否必须将其发送到 Google market(如果是,请使用哪种网络服务或 API)?
请帮我纠正这个问题。
提前致谢。
While implementing the in-app billing for Android application, I came across a problem.
Let me explain the scenario first
We have a content server (data server) which has the list of products.
When user selects one from the list, he can be able to purchase it.
The purchase logic runs perfectly after I put my credit card detail using my test account.
In returns I am getting a signed data in Android device.
My Question is
1. Should I have to verify the signed data in Android device and then send some information or the data to Content server, which in return sends the product (I think this may not be good since there is no flow at server side to verify that the request is valid or not or more precisely; that the signature data is generated by google market or not)?
2. If I have to verify the data at server side, how can I do this? Should I have to send it to Google market (if yes, using which web service or API)?
Please help me to rectify this.
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
对于第二个问题,对数据进行哈希(例如:MD5、SHA)并将哈希与数据一起发送到服务器。在服务器上,创建数据的哈希值并比较哈希值以验证它们。
For your second question, hash (eg: MD5, SHA) the data and send the hash along with the data to the server. At the server, create a hash of the data and compare the hashes to verify them.
要回答您的问题,您必须首先使用某种 ID 创建应用内产品,然后我会将其绑定到您服务器上的数据库中。然后使用 Web 服务查询数据库并查看应用内 ID 是否与产品数据库中的 ID 匹配。另外,您还可以使用安全 Nonces 和签名以验证。大多数情况下,您让 Google 处理产品,因此您必须根据数据库对应用内产品进行建模。如果您有太多产品,那么您将不得不以创建移动网站的标准方式来处理它......
编辑:
当您发出请求(即购买)时,您首先执行 REQUEST_PURCHASE,然后启动市场返回的 PendingIntent。然后,您可以处理 Market 发送的广播意图。您在请求中指定四个键,然后发出购买请求:
然后您必须使用 PendingIntent 来启动 checkoutUI(注意 1.6 到 2.0 的差异,其中 1.6 要求与 Activity 分开启动)。看一下 Google 示例中的 PurchasingObserver.java。
“Android Market 应用程序发送 RESPONSE_CODE 广播意图,该意图提供有关请求的错误信息。如果请求未生成错误,则 RESPONSE_CODE 广播意图返回 RESULT_OK,这表明请求已成功发送。(需要明确的是, RESULT_OK 响应并不表示请求的购买成功;它表示请求已成功发送到 Android Market。)
To answer your questions you have to first create the in-app product using some sort of ID that I would then tie into a database you have on your server. Using webservices then you query your db and see if the in-app id matches the ID in you product database. Plus on top that you can use the Security Nonces and Signatures to verify. Mostly you let Google handle the products and so you will hae to model the In-App products after your DB. If you have too many products then you will have to handle it a standard way of creating mobile website ....
EDIT:
Well when you make the request, i.e. purchase, you first do the REQUEST_PURCHASE then you launch the PendingIntent that is returned by the Market. Then you you handle the broadcasts intents that are sent by Market. You specify four keys in the request then make a purchase request:
Then you have to use the PendingIntent to launch the checkoutUI (careful of the 1.6 to 2.0 differences where 1.6 requires this be launched separate from the Activity). take a look at the PurchaseObserver.java in the Google examples.
"The Android Market application sends a RESPONSE_CODE broadcast intent, which provides error information about the request. If the request does not generate an error, the RESPONSE_CODE broadcast intent returns RESULT_OK, which indicates that the request was successfully sent. (To be clear, a RESULT_OK response does not indicate that the requested purchase was successful; it indicates that the request was sent successfully to Android Market.)"