I am implementing in-app billing into an Android game and we want to use a server to store the purchase information.
According to what I understood so far, Android Market will return a callback to the app in the form of Broadcast receiver about the purchase status. But since we are persisting the transaction information on the server, my app has to make some http post request and update my server. There is a very high chance that this http post request could be imitated by some hacker manually. How do I validate that Android market receipt information from my server code?
Is there any Google checkout callback to my server available? Or is there a way to validate the IAB response provided by the http client is genuine and it is a purchase done in my app only!
On the Apple IOS IAP process, they have a validate web API @ https://sandbox.itunes.apple.com/verifyReceipt for which we can pass
req.method = URLRequestMethod.POST;
req.data = "{\"receipt-data\" : \""+ t.receipt +"\"}";
and it says if the receipt is proper or not. Do we have something like that for Android?
Update: You can use the getPurchases()
method to retrieve "un-consumed" purchases, as explained in the developer docs:
http://developer.android.com/google/play/billing/billing_reference.html#getPurchases
Original Answer (now out of date)
The Google Checkout API is deprecated. You should now use the Purchase Status API.
If you plan to use the Purchase Status API, the link above mentions these limitations: