Do I need to verify Android in-app billing server side?

Question

I want to implement Google Play In-app Billing v3 on an Android app so that the user can buy an item to remove ads. After the user buy this item, ads must not be displayed on any device logged into his/her Google account. As this app does not provide user accounts, I don't have a unique user identifier.

Do I need to store and validate purchases on my server or can I just rely on the Google Play In-app Billing library?

Answer 1

I think it is important if you have a multi-platform app.

After all, if you have subscription products, you should provide the features in any platform, right?

For example, if you have an app on App Store, you could use the Google Console Developer API to check the purchase when the user purchased it on Android.

The same could be done on Android. If the user made the subscription on App Store, you could use the App Store Connect API to check the purchase.

You can use firebase to store the user purchase data (as purchase token). And use the Firebase Auth to authenticate users in both platforms.

Use Firestore to store this kind of data.

Answer 2

Yes for querying the purchase you don't need owned server. But for extra security layer protection, you should have one.

As described here Security and Design Best Practice

So you should perform signature verification on your own server. And you could put developer payload string on your own server too.

Answer 3

Purchased items are linked to the Google account used during the purchase. You don't need a server to implement ads removal premium purchase.

Once the user purchases the item, IAB keeps track of it and syncs it across all devices the user is logged in. The most important thing is to NOT consume the item once it has been purchased.