46

Releasing promo codes for in-app purchases seems like it will prevent an app from (ever again) performing remote server purchase verification!

When a promo code is used for an in-app purchase (the PURCHASES_UPDATED broadcast), it will completely bypass the purchase flow so the app has no chance to supply an "developerPayload", used for remote verification.

Later when the app call getPurchases() to get/verify owner products, the purchase data for promo purchases won't contain a "developerPayload" of course, but neither an "orderId", also useful for remote verification using the Google Play Developer API.

How is an app supposed to verify in-app purchases made with promo codes?

Allowing users to redeem promo codes through the Google Play Store app/site, thus bypassing the purchase flow, seems like an major oversight which shouldn't be possible.

Issue reports:

Similar posts:

Community
  • 1
  • 1
ballzak
  • 674
  • 1
  • 6
  • 20
  • Simple workaround, if I understand what you are asking: get the user to uninstall your app, place the promo code in the redeem section of play store, and that will reinstall the app with the feature. I assume that you are going to give promo codes to new users, so this would be an edge case issue. – Avi Parshan Feb 02 '17 at 10:15

1 Answers1

1

This indeed a know security issue from Google side, so I am going to suggest a workaround.

Along with promo code provide the users with server id generated by your server, when getting a promo purchase validate the server id and accept the purchase just once.

When using from market send the id with referrer. When using from app have your own logic to provide the server id.

Bottom line there is no other solution but some how identify the users with some sort of id.

Ilya Gazman
  • 27,805
  • 19
  • 119
  • 190