am a6eaec81: am dd50e98c: am f634d6a2: am c0050433: Merge "docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447" into jb-mr1.1-docs
* commit 'a6eaec812f1d0d2d551d0d98b67bb22cfc26c31a': docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447
This commit is contained in:
quddusc
@@ -19,6 +19,7 @@ parent.link=index.html
|
||||
<li><a href="#Subs">Implementing Subscriptions</a><li>
|
||||
</ol>
|
||||
</li>
|
||||
<li><a href="#billing-security">Securing Your App</a>
|
||||
</ol>
|
||||
<h2>Reference</h2>
|
||||
<ol>
|
||||
@@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp",
|
||||
the user. Once a subscription expires without renewal, it will no longer appear
|
||||
in the returned {@code Bundle}.</p>
|
||||
|
||||
<h2 id="billing-security">Securing Your Application</h2>
|
||||
|
||||
<p>To help ensure the integrity of the transaction information that is sent to
|
||||
your application, Google Play signs the JSON string that contains the response
|
||||
data for a purchase order. Google Play uses the private key that is associated
|
||||
with your application in the Developer Console to create this signature. The
|
||||
Developer Console generates an RSA key pair for each application.<p>
|
||||
|
||||
<p class="note"><strong>Note:</strong>To find the public key portion of this key
|
||||
pair, open your application's details in the Developer Console, then click on
|
||||
<strong>Services & APIs</strong>, and look at the field titled
|
||||
<strong>Your License Key for This Application</strong>.</p>
|
||||
|
||||
<p>The Base64-encoded RSA public key generated by Google Play is in binary
|
||||
encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public
|
||||
key that is used with Google Play licensing.</p>
|
||||
|
||||
<p>When your application receives this signed response you can
|
||||
use the public key portion of your RSA key pair to verify the signature.
|
||||
By performing signature verification you can detect responses that have
|
||||
been tampered with or that have been spoofed. You can perform this signature
|
||||
verification step in your application; however, if your application connects
|
||||
to a secure remote server then we recommend that you perform the signature
|
||||
verification on that server.</p>
|
||||
|
||||
<p>For more information about best practices for security and design, see <a
|
||||
href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -143,7 +143,9 @@ does not include tax.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>{@code INAPP_DATA_SIGNATURE}</td>
|
||||
<td>String containing the signature of the purchase data that was signed with the private key of the developer.</td>
|
||||
<td>String containing the signature of the purchase data that was signed
|
||||
with the private key of the developer. The data signature uses the
|
||||
RSASSA-PKCS1-v1_5 scheme.</td>
|
||||
</tr>
|
||||
</table>
|
||||
</p>
|
||||
|
||||
@@ -853,37 +853,39 @@ sample application calls <code>checkAccess()</code> from a
|
||||
|
||||
<h3 id="account-key">Embed your public key for licensing</h3>
|
||||
|
||||
<p>For each publisher account, the Google Play service automatically
|
||||
generates a 2048-bit RSA public/private key pair that is used exclusively for
|
||||
licensing. The key pair is uniquely associated with the publisher account and is
|
||||
shared across all applications that are published through the account. Although
|
||||
associated with a publisher account, the key pair is <em>not</em> the same as
|
||||
the key that you use to sign your applications (or derived from it).</p>
|
||||
<p>For each application, the Google Play service automatically
|
||||
generates a 2048-bit RSA public/private key pair that is used for
|
||||
licensing and in-app billing. The key pair is uniquely associated with the
|
||||
application. Although associated with the application, the key pair is
|
||||
<em>not</em> the same as the key that you use to sign your applications (or derived from it).</p>
|
||||
|
||||
<p>The Google Play Developer Console exposes the public key for licensing to any
|
||||
developer signed in to the publisher account, but it keeps the private key
|
||||
developer signed in to the Developer Console, but it keeps the private key
|
||||
hidden from all users in a secure location. When an application requests a
|
||||
license check for an application published in your account, the licensing server
|
||||
signs the license response using the private key of your account's key pair.
|
||||
signs the license response using the private key of your application's key pair.
|
||||
When the LVL receives the response, it uses the public key provided by the
|
||||
application to verify the signature of the license response. </p>
|
||||
|
||||
<p>To add licensing to an application, you must obtain your publisher account's
|
||||
<p>To add licensing to an application, you must obtain your application's
|
||||
public key for licensing and copy it into your application. Here's how to find
|
||||
your account's public key for licensing:</p>
|
||||
your application's public key for licensing:</p>
|
||||
|
||||
<ol>
|
||||
<li>Go to the Google Play <a
|
||||
href="http://play.google.com/apps/publish">Developer Console</a> and sign in.
|
||||
Make sure that you sign in to the account from which the application you are
|
||||
licensing is published (or will be published). </li>
|
||||
<li>In the account home page, locate the "Edit profile" link and click it. </li>
|
||||
<li>In the Edit Profile page, locate the "Licensing" pane, shown below. Your
|
||||
public key for licensing is given in the "Public key" text box. </li>
|
||||
<li>In the application details page, locate the <strong>Services & APIs</strong>
|
||||
link and click it. </li>
|
||||
<li>In the <strong>Services & APIs</strong> page, locate the
|
||||
<strong>Licensing & In-App Billing</strong> section. Your public key for
|
||||
licensing is given in the
|
||||
<strong>Your License Key For This Application</strong> field. </li>
|
||||
</ol>
|
||||
|
||||
<p>To add the public key to your application, simply copy/paste the key string
|
||||
from the text box into your application as the value of the String variable
|
||||
from the field into your application as the value of the String variable
|
||||
<code>BASE64_PUBLIC_KEY</code>. When you are copying, make sure that you have
|
||||
selected the entire key string, without omitting any characters. </p>
|
||||
|
||||
@@ -965,16 +967,6 @@ application that they have legitimately purchased on another device.</li>
|
||||
</ul>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 id="app-obfuscation">Obfuscating Your Code</h2>
|
||||
|
||||
<p>To ensure the security of your application, particularly for a paid
|
||||
|
||||
@@ -16,7 +16,7 @@ restrict use of the application to a specific device, in addition to any other c
|
||||
|
||||
<p>The licensing service is a secure means of controlling access to your applications. When an
|
||||
application checks the licensing status, the Google Play server signs the licensing status
|
||||
response using a key pair that is uniquely associated with the publisher account. Your application
|
||||
response using a key pair that is uniquely associated with the application. Your application
|
||||
stores the public key in its compiled <code>.apk</code> file and uses it to verify the licensing
|
||||
status response.</p>
|
||||
|
||||
|
||||
@@ -186,7 +186,7 @@ licensing server, possibly because of network availability problems. </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>{@code ERROR_SERVER_FAILURE}</td>
|
||||
<td>Server error — the server could not load the publisher account's key
|
||||
<td>Server error — the server could not load the application's key
|
||||
pair for licensing.</td>
|
||||
<td>No</td>
|
||||
<td></td>
|
||||
|
||||
@@ -38,13 +38,13 @@ the licensing server and receives the result. The Google Play application sends
|
||||
the result to your application, which can allow or disallow further use of the
|
||||
application as needed.</p>
|
||||
|
||||
<p class="note"><strong>Note:</strong> If a paid application has been uploaded to Google Play but
|
||||
saved only as a draft application (the app is unpublished), the licensing server considers all users
|
||||
to be licensed users of the application (because it's not even possible to purchase the app).
|
||||
This exception is necessary in order for you to perform testing of your licensing
|
||||
<p class="note"><strong>Note:</strong> If a paid application has been uploaded
|
||||
to Google Play, but saved only as a draft application (the app is
|
||||
unpublished), the licensing server considers all users to be licensed users of
|
||||
the application (because it's not even possible to purchase the app). This
|
||||
exception is necessary in order for you to perform testing of your licensing
|
||||
implementation.</p>
|
||||
|
||||
|
||||
<div class="figure" style="width:469px">
|
||||
<img src="{@docRoot}images/licensing_arch.png" alt=""/>
|
||||
<p class="img-caption"><strong>Figure 1.</strong> Your application initiates a
|
||||
@@ -102,10 +102,11 @@ response data using an RSA key pair that is shared exclusively between the Googl
|
||||
server and you.</p>
|
||||
|
||||
<p>The licensing service generates a single licensing key pair for each
|
||||
publisher account and exposes the public key in your account's profile page. You must copy the
|
||||
public key from the web site and embed it in your application source code. The server retains the
|
||||
private key internally and uses it to sign license responses for the applications you
|
||||
publish with that account.</p>
|
||||
application and exposes the public key in your application's
|
||||
<strong>Services & APIs</strong> page in the Developer Console. You must copy
|
||||
the public key from the Developer Console and embed it in your application
|
||||
source code. The server retains the private key internally and uses it to sign
|
||||
license responses for the applications you publish with that account.</p>
|
||||
|
||||
<p>When your application receives a signed response, it uses the embedded public
|
||||
key to verify the data. The use of public key cryptography in the licensing
|
||||
@@ -221,7 +222,7 @@ gives you wider distribution potential for your applications. </p>
|
||||
<p>Licensing lets you move to a license-based model that is enforceable on
|
||||
all devices that have access to Google Play. Access is not bound to the
|
||||
characteristics of the host device, but to your
|
||||
publisher account on Google Play (through the app's public key) and the
|
||||
application on Google Play (through the app's public key) and the
|
||||
licensing policy that you define. Your application can be installed and
|
||||
managed on any device on any storage, including SD card.</p>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user