Android billing - Testing purchases with android.test.purchased in production/alpha/beta

Question

I'm using Google Play billing API (v3) and I'm testing in-app purchases with sku=android.test.purchased. To do this, I have modified the method Security.verifyPurchase from the helper classes like this:

public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature, String sku) {
    if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey) || TextUtils.isEmpty(signature)) {
        Log.e(TAG, "Purchase verification failed: missing data.");
        if ("android.test.purchased".equals(sku) || BuildConfig.DEBUG) {
            Log.e(TAG, "This was a test purchase");
            return true;
        }
        return false;
    }

    PublicKey key = Security.generatePublicKey(base64PublicKey);
    return Security.verify(key, signedData, signature);
}

My code is a little different from the that in the tutorials I've found: I added this:

"android.test.purchased".equals(sku)

Initially, only the verification for BuildConfig.DEBUG was added, but I needed to give testing users the possibility to buy products quickly, without adding their payment data.

My question is: is there a big security problem if I'll use this code in my production app (or is it OK just for alpha / beta)?

Answer 1

This modification is definitely not OK for production version because it disables response verification. If an attacker provides no base64PublicKey, signedData, signature and the test sku you have in your code, then your app will allow to use in-app features in production without actually paying for them.

If in DEBUG version you want to allow all sku's, just remove your check. If you want to allow your sku only, use && operator or the code below.

if (BuildConfig.DEBUG) {
    Log.e(TAG, "This was a test purchase");
    return "android.test.purchased".equals(sku);
}