am d9221826: am a6eaec81: am dd50e98c: am f634d6a2: am c0050433: Merge "docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447" into jb-mr1.1-docs
* commit 'd922182604836823b17e6e137a7757465d418848': docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447
This commit is contained in:
quddusc
@@ -19,6 +19,7 @@ parent.link=index.html
|
|||||||
<li><a href="#Subs">Implementing Subscriptions</a><li>
|
<li><a href="#Subs">Implementing Subscriptions</a><li>
|
||||||
</ol>
|
</ol>
|
||||||
</li>
|
</li>
|
||||||
|
<li><a href="#billing-security">Securing Your App</a>
|
||||||
</ol>
|
</ol>
|
||||||
<h2>Reference</h2>
|
<h2>Reference</h2>
|
||||||
<ol>
|
<ol>
|
||||||
@@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp",
|
|||||||
the user. Once a subscription expires without renewal, it will no longer appear
|
the user. Once a subscription expires without renewal, it will no longer appear
|
||||||
in the returned {@code Bundle}.</p>
|
in the returned {@code Bundle}.</p>
|
||||||
|
|
||||||
|
<h2 id="billing-security">Securing Your Application</h2>
|
||||||
|
|
||||||
|
<p>To help ensure the integrity of the transaction information that is sent to
|
||||||
|
your application, Google Play signs the JSON string that contains the response
|
||||||
|
data for a purchase order. Google Play uses the private key that is associated
|
||||||
|
with your application in the Developer Console to create this signature. The
|
||||||
|
Developer Console generates an RSA key pair for each application.<p>
|
||||||
|
|
||||||
|
<p class="note"><strong>Note:</strong>To find the public key portion of this key
|
||||||
|
pair, open your application's details in the Developer Console, then click on
|
||||||
|
<strong>Services & APIs</strong>, and look at the field titled
|
||||||
|
<strong>Your License Key for This Application</strong>.</p>
|
||||||
|
|
||||||
|
<p>The Base64-encoded RSA public key generated by Google Play is in binary
|
||||||
|
encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public
|
||||||
|
key that is used with Google Play licensing.</p>
|
||||||
|
|
||||||
|
<p>When your application receives this signed response you can
|
||||||
|
use the public key portion of your RSA key pair to verify the signature.
|
||||||
|
By performing signature verification you can detect responses that have
|
||||||
|
been tampered with or that have been spoofed. You can perform this signature
|
||||||
|
verification step in your application; however, if your application connects
|
||||||
|
to a secure remote server then we recommend that you perform the signature
|
||||||
|
verification on that server.</p>
|
||||||
|
|
||||||
|
<p>For more information about best practices for security and design, see <a
|
||||||
|
href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -143,7 +143,9 @@ does not include tax.</td>
|
|||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>{@code INAPP_DATA_SIGNATURE}</td>
|
<td>{@code INAPP_DATA_SIGNATURE}</td>
|
||||||
<td>String containing the signature of the purchase data that was signed with the private key of the developer.</td>
|
<td>String containing the signature of the purchase data that was signed
|
||||||
|
with the private key of the developer. The data signature uses the
|
||||||
|
RSASSA-PKCS1-v1_5 scheme.</td>
|
||||||
</tr>
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</p>
|
</p>
|
||||||
|
|||||||
@@ -853,37 +853,39 @@ sample application calls <code>checkAccess()</code> from a
|
|||||||
|
|
||||||
<h3 id="account-key">Embed your public key for licensing</h3>
|
<h3 id="account-key">Embed your public key for licensing</h3>
|
||||||
|
|
||||||
<p>For each publisher account, the Google Play service automatically
|
<p>For each application, the Google Play service automatically
|
||||||
generates a 2048-bit RSA public/private key pair that is used exclusively for
|
generates a 2048-bit RSA public/private key pair that is used for
|
||||||
licensing. The key pair is uniquely associated with the publisher account and is
|
licensing and in-app billing. The key pair is uniquely associated with the
|
||||||
shared across all applications that are published through the account. Although
|
application. Although associated with the application, the key pair is
|
||||||
associated with a publisher account, the key pair is <em>not</em> the same as
|
<em>not</em> the same as the key that you use to sign your applications (or derived from it).</p>
|
||||||
the key that you use to sign your applications (or derived from it).</p>
|
|
||||||
|
|
||||||
<p>The Google Play Developer Console exposes the public key for licensing to any
|
<p>The Google Play Developer Console exposes the public key for licensing to any
|
||||||
developer signed in to the publisher account, but it keeps the private key
|
developer signed in to the Developer Console, but it keeps the private key
|
||||||
hidden from all users in a secure location. When an application requests a
|
hidden from all users in a secure location. When an application requests a
|
||||||
license check for an application published in your account, the licensing server
|
license check for an application published in your account, the licensing server
|
||||||
signs the license response using the private key of your account's key pair.
|
signs the license response using the private key of your application's key pair.
|
||||||
When the LVL receives the response, it uses the public key provided by the
|
When the LVL receives the response, it uses the public key provided by the
|
||||||
application to verify the signature of the license response. </p>
|
application to verify the signature of the license response. </p>
|
||||||
|
|
||||||
<p>To add licensing to an application, you must obtain your publisher account's
|
<p>To add licensing to an application, you must obtain your application's
|
||||||
public key for licensing and copy it into your application. Here's how to find
|
public key for licensing and copy it into your application. Here's how to find
|
||||||
your account's public key for licensing:</p>
|
your application's public key for licensing:</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>Go to the Google Play <a
|
<li>Go to the Google Play <a
|
||||||
href="http://play.google.com/apps/publish">Developer Console</a> and sign in.
|
href="http://play.google.com/apps/publish">Developer Console</a> and sign in.
|
||||||
Make sure that you sign in to the account from which the application you are
|
Make sure that you sign in to the account from which the application you are
|
||||||
licensing is published (or will be published). </li>
|
licensing is published (or will be published). </li>
|
||||||
<li>In the account home page, locate the "Edit profile" link and click it. </li>
|
<li>In the application details page, locate the <strong>Services & APIs</strong>
|
||||||
<li>In the Edit Profile page, locate the "Licensing" pane, shown below. Your
|
link and click it. </li>
|
||||||
public key for licensing is given in the "Public key" text box. </li>
|
<li>In the <strong>Services & APIs</strong> page, locate the
|
||||||
|
<strong>Licensing & In-App Billing</strong> section. Your public key for
|
||||||
|
licensing is given in the
|
||||||
|
<strong>Your License Key For This Application</strong> field. </li>
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p>To add the public key to your application, simply copy/paste the key string
|
<p>To add the public key to your application, simply copy/paste the key string
|
||||||
from the text box into your application as the value of the String variable
|
from the field into your application as the value of the String variable
|
||||||
<code>BASE64_PUBLIC_KEY</code>. When you are copying, make sure that you have
|
<code>BASE64_PUBLIC_KEY</code>. When you are copying, make sure that you have
|
||||||
selected the entire key string, without omitting any characters. </p>
|
selected the entire key string, without omitting any characters. </p>
|
||||||
|
|
||||||
@@ -965,16 +967,6 @@ application that they have legitimately purchased on another device.</li>
|
|||||||
</ul>
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2 id="app-obfuscation">Obfuscating Your Code</h2>
|
<h2 id="app-obfuscation">Obfuscating Your Code</h2>
|
||||||
|
|
||||||
<p>To ensure the security of your application, particularly for a paid
|
<p>To ensure the security of your application, particularly for a paid
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ restrict use of the application to a specific device, in addition to any other c
|
|||||||
|
|
||||||
<p>The licensing service is a secure means of controlling access to your applications. When an
|
<p>The licensing service is a secure means of controlling access to your applications. When an
|
||||||
application checks the licensing status, the Google Play server signs the licensing status
|
application checks the licensing status, the Google Play server signs the licensing status
|
||||||
response using a key pair that is uniquely associated with the publisher account. Your application
|
response using a key pair that is uniquely associated with the application. Your application
|
||||||
stores the public key in its compiled <code>.apk</code> file and uses it to verify the licensing
|
stores the public key in its compiled <code>.apk</code> file and uses it to verify the licensing
|
||||||
status response.</p>
|
status response.</p>
|
||||||
|
|
||||||
|
|||||||
@@ -186,7 +186,7 @@ licensing server, possibly because of network availability problems. </td>
|
|||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>{@code ERROR_SERVER_FAILURE}</td>
|
<td>{@code ERROR_SERVER_FAILURE}</td>
|
||||||
<td>Server error — the server could not load the publisher account's key
|
<td>Server error — the server could not load the application's key
|
||||||
pair for licensing.</td>
|
pair for licensing.</td>
|
||||||
<td>No</td>
|
<td>No</td>
|
||||||
<td></td>
|
<td></td>
|
||||||
|
|||||||
@@ -38,13 +38,13 @@ the licensing server and receives the result. The Google Play application sends
|
|||||||
the result to your application, which can allow or disallow further use of the
|
the result to your application, which can allow or disallow further use of the
|
||||||
application as needed.</p>
|
application as needed.</p>
|
||||||
|
|
||||||
<p class="note"><strong>Note:</strong> If a paid application has been uploaded to Google Play but
|
<p class="note"><strong>Note:</strong> If a paid application has been uploaded
|
||||||
saved only as a draft application (the app is unpublished), the licensing server considers all users
|
to Google Play, but saved only as a draft application (the app is
|
||||||
to be licensed users of the application (because it's not even possible to purchase the app).
|
unpublished), the licensing server considers all users to be licensed users of
|
||||||
This exception is necessary in order for you to perform testing of your licensing
|
the application (because it's not even possible to purchase the app). This
|
||||||
|
exception is necessary in order for you to perform testing of your licensing
|
||||||
implementation.</p>
|
implementation.</p>
|
||||||
|
|
||||||
|
|
||||||
<div class="figure" style="width:469px">
|
<div class="figure" style="width:469px">
|
||||||
<img src="{@docRoot}images/licensing_arch.png" alt=""/>
|
<img src="{@docRoot}images/licensing_arch.png" alt=""/>
|
||||||
<p class="img-caption"><strong>Figure 1.</strong> Your application initiates a
|
<p class="img-caption"><strong>Figure 1.</strong> Your application initiates a
|
||||||
@@ -102,10 +102,11 @@ response data using an RSA key pair that is shared exclusively between the Googl
|
|||||||
server and you.</p>
|
server and you.</p>
|
||||||
|
|
||||||
<p>The licensing service generates a single licensing key pair for each
|
<p>The licensing service generates a single licensing key pair for each
|
||||||
publisher account and exposes the public key in your account's profile page. You must copy the
|
application and exposes the public key in your application's
|
||||||
public key from the web site and embed it in your application source code. The server retains the
|
<strong>Services & APIs</strong> page in the Developer Console. You must copy
|
||||||
private key internally and uses it to sign license responses for the applications you
|
the public key from the Developer Console and embed it in your application
|
||||||
publish with that account.</p>
|
source code. The server retains the private key internally and uses it to sign
|
||||||
|
license responses for the applications you publish with that account.</p>
|
||||||
|
|
||||||
<p>When your application receives a signed response, it uses the embedded public
|
<p>When your application receives a signed response, it uses the embedded public
|
||||||
key to verify the data. The use of public key cryptography in the licensing
|
key to verify the data. The use of public key cryptography in the licensing
|
||||||
@@ -221,7 +222,7 @@ gives you wider distribution potential for your applications. </p>
|
|||||||
<p>Licensing lets you move to a license-based model that is enforceable on
|
<p>Licensing lets you move to a license-based model that is enforceable on
|
||||||
all devices that have access to Google Play. Access is not bound to the
|
all devices that have access to Google Play. Access is not bound to the
|
||||||
characteristics of the host device, but to your
|
characteristics of the host device, but to your
|
||||||
publisher account on Google Play (through the app's public key) and the
|
application on Google Play (through the app's public key) and the
|
||||||
licensing policy that you define. Your application can be installed and
|
licensing policy that you define. Your application can be installed and
|
||||||
managed on any device on any storage, including SD card.</p>
|
managed on any device on any storage, including SD card.</p>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user