Why is it important to set the developer payload with in-app billing?

android android-billing

If you don't keep a record there is no way to verify that what you get is what you sent. So if you add something to the developer payload, you can either trust that it is legitimate (which is a reasonable assumption if the signature verifies), or not trust it completely and only use it a reference, but not for validating license status, etc. If you store the user email, for example, you can use the value instead of asking them to enter it again, which is slightly more user friendly, but your app won't break if it is not there.

Personally, I think that this whole 'best practices' part is confusing and is trying to make you do work that the API should really be doing. Since the purchase is tied to a Google account, and the Play Store obviously saves this information, they should just give you this in the purchase details. Getting a proper user ID requires additional permissions that you shouldn't need to add just to cover for the deficiencies of the IAB API.

So, in short, unless you have your own server and special add-on logic, just don't use the developer payload. You should be OK, as long as the IAB v3 API works (which is, unfortunately, quite a big 'if' at this point).


You should pass in a string token that helps your application to identify the user who made the purchase...

If your application provides its own user login and identity, which is different from what Google accounts the phone is connected to, then you would need to use the developer payload to attach the purchase to one of your accounts that made the purchase. Otherwise someone could switch accounts in your app, and get the benefit of purchased stuff.

e.g.

Suppose our app has login for userA and userB. And the phone's Android google account is X.

  1. userA, logs into our app and purchases life membership. The purchase details are stored under google account X.
  2. userA logs out, and userB logs into our app. Now, userB also gets the benefit of life membership, as android google account is still X.

To avoid such misuse, we will tie a purchase to an account. In the above example, we will set developer payload as "userA" when userA is making the purchase. So when userB signs in, the payload won't match to signed in user (userB), and we will ignore the purchase. Thus userB can't get benefits of a purchase done by userA.

Related

Unknown attribute android:layout_width, layout_height, id, gravity, layout_gravity, padding
Error '_BSMachError: port 1607; (os/kern) invalid capability (0x14) "Unable to insert COPY_SEND" in Cordova app on iOS 10
How to loop and render elements in React-native?
Android, How to create option Menu
Detecting and fixing circular references in JavaScript
How to import or copy images to the "res" folder in Android Studio?
How to remove project in PyCharm?
How to define a regex-matched string type in Typescript?
Derivation of multivariable Taylor series
How do I find out what service is using a certain port?
Can a PC be set up not to shut down when unplugged?
What does 1080p mean in laptop resolution?