I am developing an android app which offers in-app purchases. The content I want to sell is media files like images and audio files. I would like to implement a mechanism to download those files from an external server (maybe Google App Engine could be helpful) after the user has paid for a file.
My concerns are:
I want to make the mechanism independent of the amount of files I want to sell. This means that adding new content to the google play console should not require any update of my app.
How to protect any kind of URL on the device side that gives any clue about where the content is hosted?
Has anyone done something similar already? Could you please help me?
Note - my experience is with a previous version of Google's IAP. I assume what I say below still works but have yet to upgrade my app.
1) Have your application contact your server for the list of products for sale. Note that your play account will have to contain an entry for each element offered in order to give pricing and description information.
2) You cannot protect the URL. What you can do is protect the content. As part of the request to get the information, you should pass receipt information that can be verified at the server (see Google docs) before allowing access. Might also want to think about things like nonces and other security techniques to prevent replays.
Related
Background
I've written a game which I wish to run on multiple devices (tablets, phones, etc.). I've implemented an in-app currency, and have come to the stage where I need to store currency in the cloud so it can be accessed across devices and I can deal with conflicts etc.
I would like to go for the easiest option which, to me at least, means using some kind of available API provided, say, by Google, and not using my own server. I've come across the following possibilities:
Google AppState API (now deprecated)
Google Saved Games API
Google Drive API
Google Cloud Platform.
(1) is now deprecated and developers are directed to use the Saved Games API instead.
(2) actually seems to be a great solution because it deals with game Achievements, Leaderboards, and storage of custom data (such as in app currency). However, I see a problem with this in that in the Play Games App, there is an option to delete the player's profile, which would also delete in-game currency ! So, while (2) seems great, there is the possibility that currency data could be potentially deleted. Maybe this could be put in ther T&C's, something like "if you delete your profile you will lose any unspent currency and any purchased items"...
(3) Using the Drive API seems like an option, but then after reading online there seems to be many problems such as duplicate file names, potential for user to delete files, etc.
(4) I'm not sure about this option, but it looks like I may have to pay?
There also seems to be these deprecation schedules on some API's too.
My question
So faced with these (and possibly other not listed) options, what is a good solution to achieve cloud based in app currency? I am trying to avoid having my own server which records each user's currency/data, but maybe that's the only good solution? I want to try to reduce the ability to cheat the system.
Additional thoughts
I could use a Google Saved Games API and Saved Preferences (stored on the device) approach. I would update both Saved Preferences and Google Saved Games. I could keep both data storage methods synchronized, and if the Saved Games data did not match the Saved Preferences, then merge the Saved Prefs with the Saved Games data (e.g. set Saved Games and Saved Prefs to the maximum currency of either). This would enable me to keep a backup of currency on the device in case the user ever deleted their Saved Games profile. This would fail, however, if the user deleted their Saved Games profile, and removed the app from all devices... so many options...
Related/Interesting posts
Ricket's answer here is interesting.
Possible Compromise Solution
Due to the constraints imposed by the IAB systems and the API's available, I think I'm going to settle for this: use managed items for permanent purchases, e.g. different level themes, obtaining new characters, etc. That way these will always be available no matter what happens. Once they are purchased they are purchased forever, i.e. I will never consume these items. Have a separate virtual money (gem) system with a maximum of 100 gems say, which I keep track of through Saved Games. That way I get leaderboard/achievements too. If the player deletes their profile, that's their problem, but at least the core managed items will persist. Hopefully T&C's will cover the potential gem loss, and the maximum of 100 gems will hopefully help reduce any fall out.
You may want to checkout firebase one of its features is a real time database.
You may want to try Implementing In-app Billing. As mentioned in the documentation:
In-app Billing on Google Play provides a straightforward, simple interface for sending In-app Billing requests and managing In-app Billing transactions using Google Play.
Since, as you've also mentioned that you are trying to avoid having your own server to record your user's currency/data, it will be within your advantage. Here are a few advantages given in the documentation:
In-app billing relies on the Google Play application, which handles all communication between your application and the Google Play server. You just need to make your application request the proper permission to be able to use the Google Play application.
You can use the In-app Billing Version 3 API to track the ownership of purchased in-app products in Google Play.
You even have the option to secure your application because Google Play signs the JSON string that contains the response data for a purchase order to help ensure the integrity of the transaction information that is sent to your application.
Now, if you so decide to use in-app billing, may I suggest to please go through the given documentation and do take note of the important notes, cautions/warning and recommendations. I would also suggest that you read the In-app Billing Overview to familiarize yourself with concepts that will make it easier for you to implement In-app Billing.
Lastly, you may also add Security and Design as one of your references for more information about best practices for security and design. The suggestion in this SO post might also help.
I am building a website for a client that is promoting an App on Kickstarter. As one of the rewards this client wants to reward sponsors with in-app purchases. I have searched Apple and posted on other forums but I can't find out if this is possible and if it is possible, how it is done.
Thanks.
You need to implement a promo-code dialog inside your app to do that, then send promo-codes to your Kickstarter users.
I don't think It's possible.
Here's the only Google documentation I could find.
You could make the app free for a short period until all backers have their copy and then raise the price but non backers will be able to download it too.
It would be possible however to use the alpha/beta functionality in the Google Play store to release the app to backers who have joined specific circles setup by you. I don't know if Google would have a problem with you using it like this.
It might be possible to distribute the app outside of the Play Store but I suspect that will become a big support problem as users struggle to get the app installed and keep it up to date.
For iOS part we haven't this functionality with Store Kit. This framework was created to securely process payments from users. You don't need to work with payments. Just deliver some product or an extra functionality to user with promo code. Implement a dialogue in your app where user can enter his code, send this code to your server, check it and give an access for user, if code was right. That's all you need. After making the product available, your app needs to make a persistent record of the "purchase" like you do with normal in-app purchases.
I am working on an android app with in App products . I have read about different services like in app billing,in app querying purchased items. I was wondering If there is any service which I could store my in app products and distribute (App could downnload from there) from that.I am new to in app products and want to know if this was possible . Please help?
You can make use of APK Expansion Files to store some extra files that you can download it later on. Although it was not meant for this reason, but you might be able to store your in-app products in such expansion files and download it when needed (i.e. after purchase)
Google simply acts as the payment processor and lets you know when a payment is made, cancelled, or fully processed. Any further action on the purchase must be done by you, and Google does not provide any server to host the in app content specially. All of that must be done on your own server.
I'm working on a proof of concept app (which will hopefully grow) where users can purchase packs of images using the in-app purchase options on Android. My question is, where/how should the image packs being hosted? Is there a standard method for doing this? I've looked around and found nothing so far. The packs will each be fairly large (10-50mb) so I can't just include everything in the initial download.
Thank you for your time.
If I understand your question correctly, the digital content you have for purchase should be stored securely on a server which you host and control. Then when users purchase using your app (either directly from your website or via the Android Market with in-app billing), you then deliver the content after payment is made.
EDIT: I'm not aware of any out-of-the-box code but my preferred option is to have the app call a secure web service, posting credentials such as the payment reference, product purchased details and perhaps some secure details from your app which you can then validate on your server. Even if you're not going with Android in-app billing, they have an example and plenty of documentation which might help you devise your own solution.
I have a few questions connected to Android In-App Billing:
Is it possible to make a purchase from non-Market app? I understand that it would be a vulnerability, but I have no opportunity to find out if it's possible or not.
How can I get purchase state for a particular product? As far as I understand it can be done using RESTORE_TRANSACTIONS request, but it's not recommended to use very often. That's not a theoretical problem. My application allows users to buy content using in-app billing. Content can be downloaded from a server, and server must allow content downloading only if it was purchased. But it can't check if content was purchased or not without using signed response from Android Market.
How can I get price and description of an item from Android Market? Seems that I know the answer and it's "there's no way it can be done", but maybe I'm wrong. It would be very useful to have a possibility of retrieving item's price.
It's very interesting to me how you solved/are going to solve these problems in your apps. Answer to any of these questions will be appreciated.
In order:
1- Nope. The in-app billing process is part of Market. If the app comes from elsewhere, there's no way for Market to verify the origin/authenticity of the application.
2- It's your responsibility to store the purchase state for a particular product. From the doc:
You must set up a database or some other mechanism for storing users' purchase information.
RESTORE_TRANSACTIONS should be reserved for reinstalls or first-time installs on a device.
3- Unfortunately, at this time you're right. File a feature request!
In the meantime, one option is to set up a website with appengine, store listings of all your content & pricing there, and then manually sync prices listed on your appengine server with the updated prices in Market. Then have your Android app pull the data from the AppEngine server. This is much better than hardcoding price values into the app itself, since you don't need to have everyone update the app immediately to see accurate pricing whenever you change something. The only caveat of this method is that if the user is in a different country, in-app billing will display an approximated price in their native currency, and there's no way for you to determine exactly what price will be displayed to them.
Related, One of the Android Developer Advocates is giving a talk on LVL/IAP at IO, called "Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine." - It would definitely be worth your while to watch when they release the session videos on the website.