Google purchase server side verification?

Unity Engine
,
1

So I am using php and mysql for my android mobile game released recently,

I want to implement server side google purchase receipt verification for block malicious users, Freedom hack.

So when user complete purchase (I am using OpenIAB plugins), at my unity client, this function called,

private void OnPurchaseSucceded(Purchase purchase)
{
StartCoroutine(VerifyReceiptCo(purchase));
}

there I start verification,

 IEnumerator VerifyReceiptCo(Purchase purchase)
    {
        WWWForm hsFm = new WWWForm();
        hsFm.AddField("data", purchase.OriginalJson);
        hsFm.AddField("signature", purchase.Signature);
        WWW hs = new WWW(verifyURL, hsFm);
        yield return hs;
        Debug.Log("verify result is " + hs.text);
        if (hs.text.Contains("true"))
        {           
            GiveItem(purchase);
        }
        else
        {
            Debug.log(hs.text);
        }
    }

So my question is, is this right way?
I tested with actual phone, tester google account, but fails.

And this part [“data”, purchase.OriginalJson] is right or wrong?

Thanks.

2

Hi, receipt verification is an optional step in the purchase process. If you are receiving the OnPurchaseSucceeded callback on your device when making a purchase, that at least gives you a good indication that you have Google IAB configured correctly and are able to make purchases.

For verification, Google behaves a bit differently from some other IAP providers. Namely, the entire verification process occurs on your own server - you never call out to one of Google’s servers. This reduces complexities in one way (keeping it all on your server), but increases complexity elsewhere (you need to do some cryptography and byte manipulation).

I found this blog post to be very helpful when implementing my verification server: http://mrtn.me/blog/2012/11/15/checking-google-play-signatures-on-net/. I did mine in C#, but this snippet on Github seems like a good method for PHP? Google Play PHP Receipt Validation · GitHub

The general process is this:

  • Send your public key, JSON, and signature to your server.
  • Convert the public key into a cryptographic format - using RSACryptoServiceProvider (C#) or opensll (PHP).
  • Convert the JSON data to a UTF8 byte array.
  • Convert the signature from Base64 string to a byte array.
  • Pass this all in to RSACryptoServiceProvider (C#) or OpenSSL (PHP).
  • The returned value is true or false, depending on whether the purchase is valid or not.

Good luck!

3

Hi, thx for reply. I already solved my problem and read all links you gave and others by googling. So answer is, my way is right and pass [ purchase.OriginalJson] this parameter to php is also right code. and at php side, there are many code on the internet, your link too is one of them.