I have implemented In-App billing in my app - and very recently google has updated it,previously i was testing the in-app billing with "android.test.purchased"
and it was working fine (Buy full Version and Restore full version).
Now i took the changed classes from here
https://code.google.com/p/marketbilling/source/detail?r=7bc191a004483a1034b758e1df0bda062088d840
After that i am not able to test the app it gives the following error in the Logcat "IabHelper: In-app billing error: Purchase signature verification FAILED for sku android.test.purchased
".
I have checked with my key, package name and also app version all is proper, has any one faced this issue?
Please help me with this.
This is because of the verifyPurchase() method in the Security class that has been change in the new fixes. Let me show you what is the exact problem is:
Security class changes
OLD CODE
public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature) {
if (signedData == null) {
Log.e(TAG, "data is null");
return false;
}
boolean verified = false;
if (!TextUtils.isEmpty(signature)) {
PublicKey key = Security.generatePublicKey(base64PublicKey);
verified = Security.verify(key, signedData, signature);
if (!verified) {
Log.w(TAG, "signature does not match data.");
return false;
}
}
return true;
}
New Code
public static boolean verifyPurchase(String base64PublicKey,
String signedData, String signature) {
if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey)
|| TextUtils.isEmpty(signature)) {
Log.e(TAG, "Purchase verification failed: missing data.");
return false;
}
PublicKey key = Security.generatePublicKey(base64PublicKey);
return Security.verify(key, signedData, signature);
}
According to what I have searched and tested from New code,
Why it happens because we will not get any signature while we are using dummy product like "android.test.purchased". So in the old code it is working good because we were return true even if signature is not given and for the New code we are returning false.
more information about the signature data null or blank from link1 and link2
So I suggest you just replace old code method verifyPurchase() instead of New Code method.
I think may be New Code will work fine for the real product but not in the dummy product. But yet I have not tested for the real product.
Let me search more about this, why they changed code and what is the purpose behind that.
EDIT:
BuildConfig.DEBUG will also give you the solution for the test purchases.
In the verifyPurchase I changed return false
to:
Log.e(TAG, "Purchase verification failed: missing data.");
if (BuildConfig.DEBUG) {
return true;
}
return false;
but you should be aware to use this only in test scenario's.
This will return true, if you have a debug build, and the signature data is missing. Since the BuildConfig.DEBUG will be false in a production build this should be OK. But better is to remove this code after everything is debugged.
I have edited some code in the verifyPurchase() method, check it below:
public static boolean verifyPurchase(String base64PublicKey,
String signedData, String signature) {
if (signedData == null) {
Log.e(TAG, "data is null");
return false;
}
if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey)
|| TextUtils.isEmpty(signature)) {
Log.e(TAG, "Purchase verification failed: missing data.");
if (BuildConfig.DEBUG) {
Log.d("DeBUG", ">>>"+BuildConfig.DEBUG);
return true;
}
return false;
}
PublicKey key = Security.generatePublicKey(base64PublicKey);
return Security.verify(key, signedData, signature);
}
I got this from GvS's answer
android in app billing purchase verification failed.
hope it is helpful for you.
I was the one informing Google Security Team about these security bugs.
Please be patient until I do public disclosure of these bugs, as I granted Google time to fix them.
If no big sites write about this problem I will disclose with a working exploit on 6 November.
As you already looked at verifyPurchase(), the bug should be obvious. If given signature is an empty String the method still returns true (as it returns true on default).