Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2 features added (see description) #108

Merged
merged 2 commits into from
Aug 29, 2015
Merged

2 features added (see description) #108

merged 2 commits into from
Aug 29, 2015

Conversation

ivanovpv
Copy link
Contributor

  1. Added static method which checks availability of suitable Play Market services - BillingProcessor.isIabServiceAvailable()
  2. Added checking of merchantId extracted from orderId. Well-known method to protect against Freedom alike attacks

@mustii82
Copy link

That's great thank you !!! but how does it work should I change my Code to use this? or is this prevention used automatically when I use the library ?

serggl
serggl reviewed Jul 29, 2015
View reviewed changes
library/src/com/anjlab/android/iab/v3/BillingProcessor.java
bindPlayServices();
}

public BillingProcessor(Context context, String licenseKey, String merchantId, IBillingHandler handler) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we re-use existing one constructor here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, you can use. I kept old constructor. If you will use old constructor no check against merchantId will be provided

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mustii82 you have to provide your merchantId to a new constructor and in case of attack you'll see it in onBillingError() handler with special error code

@mustii82
Copy link

@ivanovpv what is an merchantId? and where can i find it ? and I must just use the second constructor?

can you make an example please

@ivanovpv
Copy link
Contributor Author

@mustii82

  1. go to Google Payments Merchant Account
  2. click settings->public profile - and there you will see your Merchant Id

@serggl
Copy link
Member

serggl commented Aug 19, 2015

@ivanovpv can you please update README file with instructions on how to use it? Having that, Im ok with merging this PR

@ivanovpv
Copy link
Contributor Author

@serggl Sure, I will do it in a few days

@ivanovpv
Copy link
Contributor Author

@serggl Done! Not sure whether to give link to Freedome? Or it's bad practice to advertise crackers...

@mustii82
Copy link

It doesn't matters if somebody want to prevent in app hacking attacks they can use this library :P but I think its better to name it a hacking prevention because freedom is the only working way to fake in app purchases. By the way there is an app called lucky patcher it can fake in app purchase too i heard but i don't know how it works so can you maybe test it ?

@ivanovpv
Copy link
Contributor Author

@mustii82 Lucky Patcher patches attacked APK classes direclty in binary dex file. Details are here. Best practice to protect against Lucky Patcher is beyound this library - it can be done in different way - look here

mustii82
mustii82 reviewed Aug 25, 2015
View reviewed changes
README.md
can be found in your [Payments Merchant Account](https://payments.google.com/merchant).
Selecting *Settings->Public Profile* you will find your unique `merchantId`

**WARNING:** keep your `merchantId` in safe place!
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean with keep your merchant ID safe? can somebody do damage to me if he know what my merchant ID is?

@serggl serggl merged commit 8bfec35 into anjlab:master Aug 29, 2015
serggl added a commit that referenced this pull request Aug 29, 2015
@serggl
clean up PR #108 a bit
d144df2
@serggl serggl mentioned this pull request Sep 30, 2015
Closed
showdpro pushed a commit to showdpro/android-inapp-billing-v3 that referenced this pull request Jul 13, 2021
@serggl
clean up PR anjlab#108 a bit
7a05710
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ivanovpv @mustii82 @serggl