我为减少应用内购买欺诈行为做出的小小的贡献
在外部服务器上对您的 Android 代码进行签名验证:
在服务器上验证签名()
private boolean verifySignatureOnServer(String data, String signature) {
String retFromServer = "";
URL url;
HttpsURLConnection urlConnection = null;
try {
String urlStr = "https://www.example.com/verify.php?data=" + URLEncoder.encode(data, "UTF-8") + "&signature=" + URLEncoder.encode(signature, "UTF-8");
url = new URL(urlStr);
urlConnection = (HttpsURLConnection) url.openConnection();
InputStream in = urlConnection.getInputStream();
InputStreamReader inRead = new InputStreamReader(in);
retFromServer = convertStreamToString(inRead);
} catch (IOException e) {
e.printStackTrace();
} finally {
if (urlConnection != null) {
urlConnection.disconnect();
}
}
return retFromServer.equals("good");
}
转换流到字符串()
private static String convertStreamToString(java.io.InputStreamReader is) {
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
return s.hasNext() ? s.next() : "";
}
验证.php在虚拟主机的根目录下
<?php
// get data param
$data = $_GET['data'];
// get signature param
$signature = $_GET['signature'];
// get key
$key_64 = ".... put here the base64 encoded pub key from google play console , all in one row !! ....";
$key = "-----BEGIN PUBLIC KEY-----\n".
chunk_split($key_64, 64,"\n").
'-----END PUBLIC KEY-----';
//using PHP to create an RSA key
$key = openssl_get_publickey($key);
// state whether signature is okay or not
$ok = openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
echo "good";
} elseif ($ok == 0) {
echo "bad";
} else {
die ("fault, error checking signature");
}
// free the key from memory
openssl_free_key($key);
?>
NOTES:
-
您应该对 java 代码中的 URL 进行加密,如果没有,可以通过在解压缩的应用程序 apk 中进行简单的文本搜索来轻松找到 URL
-
另外最好更改 php 文件名、url 参数、对一些没有意义的内容的好/坏响应。
-
verifySignatureOnServer() 应该在单独的线程中运行,如果主线程上没有网络,则会抛出异常。另一种选择是使用 Volley。
应用内结算库更新
使用该库,返回待验证的数据Purchase.getOriginalJson()
和签名Purchase.getSignature()
希望它会有所帮助...