Unique String In-App Purchase on Android

Question

In Android Documentation there is this recommendation:

Security Recommendation: It’s good practice to pass in a string that helps your application to identify the user who made the purchase, so that you can later verify that this is a legitimate purchase by that user. For consumable items, you can use a randomly generated string, but for non-consumable items you should use a string that uniquely identifies the user.

What are the best practices to generate this string?

Answer 1

When the app is on its own, the best approach is to

• use the obfuscated Google Play LVL user id and, after a separator
• add a secure random information (aka nonce) and, depending on your needs,
• you can add additional info identifying e.g. the point in time

This way, you can

• associate LVL and IAB information and
• the IAB service responses are a bit more secure than they would be without the nonce

The following vulnerabilities remain:

• Having your app check LVL/IAB is insecure in general because the checks can in principle be overridden after reverse engineering.
• With the IAB nonce being set upon creation of the buy intent (rather than upon the validity request itself), there's no way to validate that the response you get does not come from a re-play attack.
• The IAB V3 information is cached inside the IAB service on the Android device, so it's not even guaranteed that you'll get the latest information; the service will silently pass cached information to the app if the device is offline or the service decides that the validity of the cached information needs not be re-validated right now.

The only way to further improve security is to use a server-based approach for LVL/IAB validation.