C# Class Billing.Security

Security-related methods. For a secure implementation, all of this code should be implemented on a server that communicates with the application on the device. For the sake of simplicity and clarity of this example, this code is included here and is executed on the device. If you must verify the purchases on the phone, you should obfuscate this code to make it harder for an attacker to replace the code with stubs that treat all purchases as verified.

Show file Open project: MarkEaton1/Monodroid-InApp-Billing

Public Methods

Method	Description
GenerateNonce ( ) : long	Generates a nonce (a random number used once).
IsNonceKnown ( long nonce ) : bool
RemoveNonce ( long nonce ) : void
Verify ( IPublicKey publicKey, string signedData, string signature ) : bool	Verifies that the signature from the server matches the computed signature on the data. Returns true if the data is correctly signed.
VerifyPurchase ( string signedData, string signature ) : List	Verifies that the data was signed with the given signature, and returns the list of verified purchases. The data is in JSON format and contains a nonce (number used once) that we generated and that was signed (as part of the whole data string) with a private key. The data also contains the PurchaseState and product ID of the purchase. In the general case, there can be an array of purchase transactions because there may be delays in processing the purchase on the backend and then several purchases can be batched together.

Private Methods

Method	Description
GeneratePublicKey ( string encodedPublicKey ) : IPublicKey	Generates a PublicKey instance from a string containing the Base64-encoded public key.

Method Details

GenerateNonce() public static method

Generates a nonce (a random number used once).

public static GenerateNonce ( ) : long
return	long

IsNonceKnown() public static method

public static IsNonceKnown ( long nonce ) : bool
nonce	long
return	bool

RemoveNonce() public static method

public static RemoveNonce ( long nonce ) : void
nonce	long
return	void

Verify() public static method

Verifies that the signature from the server matches the computed signature on the data. Returns true if the data is correctly signed.

public static Verify ( IPublicKey publicKey, string signedData, string signature ) : bool
publicKey	IPublicKey	public key associated with the developer account
signedData	string	signed data from server
signature	string	server signature
return	bool

VerifyPurchase() public static method

Verifies that the data was signed with the given signature, and returns the list of verified purchases. The data is in JSON format and contains a nonce (number used once) that we generated and that was signed (as part of the whole data string) with a private key. The data also contains the PurchaseState and product ID of the purchase. In the general case, there can be an array of purchase transactions because there may be delays in processing the purchase on the backend and then several purchases can be batched together.

public static VerifyPurchase ( string signedData, string signature ) : List
signedData	string	the signed JSON string (signed, not encrypted)
signature	string	the signature for the data, signed with the private key
return	List