Reputation: 47
Android in-app-purchase valid order but not exist in Google play store
I have an application published in Google play store, its name is PainterSVG, main purpose is to help SVG designers to create/edit SVG vector images.
One item in the app is designed as paid feature (use downloaded fonts), so user needs to pay with Google in-app-purchase to buy it. I designed all in-app-purchase codes and tested successfully.
One week ago, there was a sudden burst of purchases in a very short time, from the same user. The purchases' state all became Purchase.PurchaseState.PURCHASED. The raw data in jason and the signature are all verified with my application's public key.
But in Google play store, there are no information on these purchases, they simply does not exist, and of course I have no income.
Here is one example purchase I logged:
Raw data: {"orderId":"1788684269051654849.8163737331748355","packageName":"p.svg","productId":"paintersvg_point_100","purchaseTime":1622106599816,"purchaseState":0,"purchaseToken":"kslypocwqdttgxzhetcdskic.AO-J1OXwNhKHOWYKxGAGFZvXgslNtkhqCrpQBaxvFSzgcuE-ZLLKCev_hpKJTGlFEFCsXkWuJOXswCzOvadVljYnHiJkIygNoxawFQPaKePZppvbRZZUNToExOfEycRjxTsulwPClSAi"}
Signature: bVYGfzqbt6uWKnmw5xSW5tQek+tSwP0GgUKXz6fNXBCmGEedUrffpKPOXaG2RyfVtYvICThcxumD7kVWNSVxvE9DBJrVDjo+ipTPB9hkYebVQKib1LMBFbSMTpaA9Av2ioP+T/pBQt2EuvRLKUpnZaz5C/2uX7OvOcJtjwYniH/I7oRHvNRBxD6R78Tp6DNySotp41XUwDPmeebC6A38PVM5MhtaY9czWNaa3j3OG7rPAp0j2V5nWsdmmahu8HqBxTyqWdfmf83m3oaHrTvH7vATaKJPMcXdm1aavYAsyHCPzhFGeglU7/KRgUCkzyZ8edcA81F/x9hUVC2QL+cdXw==
The raw data and signature can be verified correct for my application, with my app's public key. Raw data and signature will be logged only when purchase state is PURCHASED. And all order ids are different.
I have no idea what is happening here -- where are the orders from and what was happening? Did the user actually paid? and paid a lot of times? Should I refund him? Can anyone help me?
Thanks a lot!
Upvotes: 0
Views: 354
Answers (1)
Reputation: 2143
What you're seeing are fraud attempts
I won't put links here, but on Android a malicious user can patch the Play Store application in order to bypass In-App Purchase. So when the user tries to buy something, a fake (but valid) receipt is returned to your app which thinks it's a valid one by default.
Fortunately, you don't trust the receipt as it is and you verify it by calling the Google APIs, which doesn't know the receipt.
Example of fraud attempt
Here is an example we've seen recently at Purchasely (we manage In-App Purchases for apps, so we see this kind of thing A LOT):
All these fraud attempts were made by the same user.
As you can see:
- they make different attempts in a short laps of time
- the receipt returned is generated randomly: the prices are incorrect. And worse, the monthly price sent ($1400) is greater than the yearly one ($500), which doesn't make any sense ^^'
Conclusion
Don't worry :)
Upvotes: 1
Related Questions
- Android in-app purchase - RESULT_ITEM_UNAVAILABLE
- In app purchase not working: item not available for purchase
- Item for in-app-purchase can not be found
- In app Purchase issue in android
- Android in-app purchase, getting order cancelled
- In app purchase not fully working
- "The item that you requested is not available for purchase" android In-App purchase error
- Android In App Purchase Problems
- Android In App Purchase "Item that you have requested is not available for purchase" Error
- Android In-App purchase issue