I use Unity IAP to handle purchases on Google Play. On our server logs for receipt verification, most of the verification errors are of the form:
“java.security.SignatureException: Signature length not correct: got 248 but was expecting 256”
All of these seem to have orderIDs in the old format (123456789.12132033121), even though the purchase dates are long after Google Play’s switch to the new format (“GPA-1231-2342-…”).
Searching for the orderIds in the GooglePlay console’s order management tab returns no results for these orderIds.
So, it seems very likely that these are hacking attempts. But I couldn’t find much info about this kind of error online, so I wanted to make sure. I’m not sure why people would try to hack using the old format orderIds either.
Any idea what’s going on?