Android in app billing v3, how to restore purchases safely?

Question

When the user buys a product, I use a webservice to verify the purchase,to protect from replay attacks, I add a (nonce) developer payload to the purchase. It works as expected.

But what about restoring transactions? I can get the signed data and signature and every other info from the local inventory(by calling queryPurchases() in IabHelper), but I can't set a new developer payload anywhere, so I can't verify it on my webservice.

How do I do a restore transactions safely?

Help would be greatly appreciated...

edit: should I just stick to iab v2 for restoring transactions?

Answer 1

As of this writing, the Google Play Billing Library sample App retrieves the developer payload for verification when querying for purchased items. The code looks like this:

// Listener that's called when we finish querying the items and subscriptions we own
IabHelper.QueryInventoryFinishedListener mGotInventoryListener = new IabHelper.QueryInventoryFinishedListener() {
    public void onQueryInventoryFinished(IabResult result, Inventory inventory) {
        Log.d(TAG, "Query inventory finished.");

        .
        .
        .

        // Do we have the premium upgrade?
        Purchase premiumPurchase = inventory.getPurchase(SKU_PREMIUM);
        mIsPremium = (premiumPurchase != null && verifyDeveloperPayload(premiumPurchase));
        Log.d(TAG, "User is " + (mIsPremium ? "PREMIUM" : "NOT PREMIUM"));

        .
        .
        .
}

Answer 2

So, as far as I know, this is an unresolved security issue which compromises the security of in app billing api v3. There is no way of securely (verifying with a webservice) restoring a purchase in in app billing api v3.