My server receives a real-time developer notifications (RTDN) from Google Play. Now what?
How to check whether RTDN by Google Play comes from Google, not from a hacker? Suppose I use purchases.products.get API to check it. Then a hacker could send me repeated RTDN, what would lead my server into thinking that purchase happened two times (when it was really one time).
I want my server to top the user account on every purchase from my app. I want the amount of purchase to be arbitrary (specified by the user). Should I include the amount in dollars into product productId/SKU like: credit-$0.78?
Also, it is unclear how to determine the installation ID of the app (a UUID I store in app data on installation) for which the purchase was done. Should I include the UUID in productId/SKU?
Quoting https://developer.android.com/google/play/billing/security
A special case of sensitive data and logic that should be handled in the backend is purchase verification. After a user has made a purchase, you should do the following:
Send the corresponding purchaseToken to your backend. This means that you should maintain a record of all purchaseToken values for all purchases.
Verify that the purchaseToken value for the current purchase does not match any previous purchaseToken values. purchaseToken is globally unique, so you can safely use this value as a primary key in your database.
Use the Purchases.products:get or Purchases.subscriptionsv2:get endpoints in the Google Play Developer API to verify with Google that the purchase is legitimate.
If the purchase is legitimate and has not been used in the past, you can then safely grant entitlement to the in-app item or subscription.
[skipping about verification of subscriptions]
Real-time developer notifications (RTDN) is a mechanism to receive notifications from Google whenever there is a change in a user's entitlement within your app. RTDN leverages the use of Google Cloud Pub/Sub which is encoded and secure, each publish made to a Cloud Pub/Sub topic contains a single base64-encoded data field.
Note: You must call the Google Play Developer API after receiving Real-time developer notifications to get the complete status and update your own backend state. These notifications tell you only that the purchase state changed. They do not give you complete information about the purchase.
The Google Play Developer API is a server-to-server API that complements the Google Play Billing Library on Android. This API provides functionality not available in the Google Play Billing Library, such as securely verifying purchases and issuing refunds to your users.
Related
I have added a non-renewable subscription for one of my projects. We also started implementing the Google play developer API to get the subscription latest status from the Play Store. For that we have done the below steps as per this blog:
Linked the developer account to a new Google Cloud Project.
Enabled the Google Play Developer API for the Google Cloud Project.
Created a service account and created a key for the service account.
I have below clarifications related to this implementation:
I tried to Grant Access for the following permissions: But the corresponding checkmark is not clickable.
View financial data, orders, and cancellation survey responses
Manage orders and subscriptions
The 3rd step as per the blog is to Authorize an API key, but I didn't get a clear idea of that.
We are going to implement this API on the back end side as a corn job, do we need to generate a JWT token for accessing this API? Is this possible to call without a Token? I found 2 types of implementations from this blog, which one is easy and secure?
"Your application can complete these tasks either by using the Google APIs client library for your language or by directly interacting with the OAuth 2.0 system using HTTP."
From where we get the get API path and other details. I found a similar get API from AppStore like this. Is the play store providing a similar kind of get API?
We need the latest purchase status API and for that what parameters do we need to pass?
I want to allow my users to pay food to my business users using Stripe Connect. I never used Stripe, but by reading the Stripe documentation, this seems feasible and relatively easy to implement.
According to this Google documentation page, the purchase or rental of physical goods via a given app is not subject to their fees.
Does this imply that I will not pay any fee to Google, even if I distribute my app via Google Play?
Given your use case, you should be able to use Stripe instead of Google Play's billing system and not be subject to Google extra fees. That being said, it would depend on how you implement your app. For example, if you were to sell tokens (that were only available in-app) that could be redeemed for food, that would probably still need to use Google's billing system. You should probably write in to Stripe Support (https://support.stripe.com/contact) to talk through what you want and be completely sure.
I need to add server side logic when a user buys and cancels a subscription. To me this seems like a basic feature that many apps probably use. However as it turns out it's not that simple to setup up the need webhooks.
My App will be available on android and iOS, so I will need to configure both, which is why I thought about using RevenueCat. But it turns out, this is a paid feature for $110/month, which is way too much for a/my new app. This is probably the biggest time saver for RevenueCat compared to using the official InApp Purchases packages, so I don't see why they would make it a paid feature.
Anyways what the best way to handle webhooks with the Play Store and the App Store? Any Guides and Tipps would be very helpful!
Apple and Google both offer server-to-server notifications that will notify you when a subscriber cancels.
Apple guide: Enabling Server-to-Server Notifications
Google guide: Real-time developer notifications
If you have your own user Ids, they won't be present in these server notifications so on your server you can save the user Id along with the transaction identifier of their original purchase. That way when a notification comes in you can look up the user from the transaction identifier and flag them as cancelled.
Alternatively, the RevenueCat API is included on their free plan so you can periodically poll their GET /subscribers endpoint to get the latest subscription status for a user. This obviously won't be real-time, but may be enough for your use-case.
Update: I decided to solve this issue similar as #enc_life suggested with the RevenueCat API. For validation the purchase, I send a request to my server, that checks with if the user actually bought the subscription. For canceling the subscription, I execute a function everyday on my server, that checks for all subscribers if the subscription is still valid.
We do validate the google play in app purchase receipt on our backend server.
For testing we do fake the receipts and test with them our system.
Is there a possibility to do a test purchase from the backend server to google's test server, to generate a receipt?
Or is there a possibility to get an fake receipt directly from google play?
For Android there are static responses for testing, maybe for backend server too.
It will be a better test then to fake the receipt by my own.
All purchases, including test purchases, must be done using an Android application (via a real device or an emulator). It happens because the purchase is executed by the Google Play Store app, and authenticated by the user.
About the server-side API, according to the Google Play Developer API, you can use the Subscriptions and In-App Purchases API to:
[...] manage your app's catalog of in-app products and subscriptions. In
addition, with the Subscriptions and In-App Purchases API you can
quickly retrieve the details of any purchase using a standard GET
request.
So, after your purchase is completed (starting on the device), you can manage it's status, get details from the API and etc.
Our app has already implemented in-app purchase.
But, we previously don't keep track of it, and only relies on the google's service whether a user's level is premium or regular.
Now, we want to track it in our server as well.
Is it possible to get the users data who've bought our subscriptions? (especially his/her email)
Based from the following documentations, there is no currently existing method to get a list of your app's subscriber's.
Google Play Developer - API Reference
In-app Subscriptions
Currently existing features with Google Play Developer API is that, it offers an HTTP-based API that lets you perform such tasks as:
Remotely query the validity of a specific subscription at any time
Cancel a subscription
Defer a subscription's next billing date
Refund a subscription payment without canceling the subscription
Refund and revoke a subscription
The API is designed to be used from your backend servers as a way of securely managing subscriptions, as well as extending and integrating subscriptions with other services.
For complete information, you may go through Google Play Developer API.