C# Class Billing.Security

Security-related methods. For a secure implementation, all of this code should be implemented on a server that communicates with the application on the device. For the sake of simplicity and clarity of this example, this code is included here and is executed on the device. If you must verify the purchases on the phone, you should obfuscate this code to make it harder for an attacker to replace the code with stubs that treat all purchases as verified.
Exibir arquivo Open project: MarkEaton1/Monodroid-InApp-Billing

Public Methods

Method Description
GenerateNonce ( ) : long

Generates a nonce (a random number used once).

IsNonceKnown ( long nonce ) : bool
RemoveNonce ( long nonce ) : void
Verify ( IPublicKey publicKey, string signedData, string signature ) : bool

Verifies that the signature from the server matches the computed signature on the data. Returns true if the data is correctly signed.

VerifyPurchase ( string signedData, string signature ) : List

Verifies that the data was signed with the given signature, and returns the list of verified purchases. The data is in JSON format and contains a nonce (number used once) that we generated and that was signed (as part of the whole data string) with a private key. The data also contains the PurchaseState and product ID of the purchase. In the general case, there can be an array of purchase transactions because there may be delays in processing the purchase on the backend and then several purchases can be batched together.

Private Methods

Method Description
GeneratePublicKey ( string encodedPublicKey ) : IPublicKey

Generates a PublicKey instance from a string containing the Base64-encoded public key.

Method Details

GenerateNonce() public static method

Generates a nonce (a random number used once).
public static GenerateNonce ( ) : long
return long

IsNonceKnown() public static method

public static IsNonceKnown ( long nonce ) : bool
nonce long
return bool

RemoveNonce() public static method

public static RemoveNonce ( long nonce ) : void
nonce long
return void

Verify() public static method

Verifies that the signature from the server matches the computed signature on the data. Returns true if the data is correctly signed.
public static Verify ( IPublicKey publicKey, string signedData, string signature ) : bool
publicKey IPublicKey public key associated with the developer account
signedData string signed data from server
signature string server signature
return bool

VerifyPurchase() public static method

Verifies that the data was signed with the given signature, and returns the list of verified purchases. The data is in JSON format and contains a nonce (number used once) that we generated and that was signed (as part of the whole data string) with a private key. The data also contains the PurchaseState and product ID of the purchase. In the general case, there can be an array of purchase transactions because there may be delays in processing the purchase on the backend and then several purchases can be batched together.
public static VerifyPurchase ( string signedData, string signature ) : List
signedData string the signed JSON string (signed, not encrypted)
signature string the signature for the data, signed with the private key
return List