In-app purchases made via promo codes return empty developer payload string

This issue was opened on the google's android-play-billing samples repo. Looks like it was ignored for a long time and was eventually closed with this comment. In short, they have following suggestions.


We reviewed our guidelines and internal APIs, and since the developerPayload is not supported across all features on In-App Billing API (including promocodes), we are removing the recommendation to use it as a security check.

As you can see in our documentation, on the page Implementing In-app Billing (https://developer.android.com/google/play/billing/billing_integrate.html) we've added a recommendation:

Caution: Don't use the developerPayload field for security validation purposes. This field isn't always available when completing tasks related to In-app Billing. For more information about security best practices, see the In-app Billing Security and Design guide.

Our recommendation is to validate on your own backend, using the Play Developer API.