Reputation: 5594
How to securely verify a user's subscription to an Android app?
I know very little about security or servers, but am making an Android app that allows users to purchase an in-app subscription. As recommended, I want to use the Google Play Developer API and store the necessary data on my own server. However, I can't think of a way to do this without having a line in my code like
if(userIsSubscribed){
//give access to purchased data
}
A hacker could obviously go in and just flip that to if(true). What should I do instead?
Upvotes: 0
Views: 178
Answers (1)
Reputation: 52956
Obfuscate your app code as a minimum. Also do the subscription check on the server, before you send the content. That is one of the reasons they have an Web API.
Basically, anything the user (and potential cracker) has access to (i.e., your app) cannot be trusted. Things they don't have direct access to (i.e., your content server) can be trusted a bit more and it is a good idea to move all sensitive operations and/or data there, where possible.
Upvotes: 2
Related Questions
- Am I getting the steps right for verifying a user's Android in-app subscription?
- How to Verify Subscriptions - Google Subscription
- How to check if the user has an active subscription in Android, Google Play?
- How to check if a user has a subscription (Android in-app billing)?
- Can I validate Google Play in-app subscription renewals completely server-side?
- Google InAppBilling Subscription verification on app login
- Verifying the authenticity of an Android App
- Am I getting these steps right for checking a user's in-app billing subscription?
- Checking google android subscriptions from server side
- How to check validity of a user's subscription on Android with a SOAP web service?