All my recent Android app purchases show a new order ID format.
The OLD format:
[merchant ID].[actual order ID]
We could use this format to check if the prefix of the order ID matches with the merchant ID and prevent possible hacks by apps like Freedom.
The NEW format:
GPA. 1234-5678-9123-45678
- All my recent orders start with "GPA." (yes the additional dot is also there)
- There is a 17 digit number divided into 4 blocks
- The first 3 blocks contain 4 digits each and the last having 5 digits
I want to know what does this number represent, the significance of the sub-blocks, is the merchant ID included anywhere?
Actually I asked google when they alerted about new order id format at May 2015, inside google developer console notification icon(where they usually alerts about new supported country etc). They said GPA is shorten from Google Play Apps. Based on the notification, this change should be done at June 2015, but they didn't do it, and I thought it was cancelled. I was wrong.
EDIT(2):
I found 2 types order id now: GPA(it's just the letter GPA, not numbers).(17 digits actual order id) and (20 digits merchant id).(17 digits actual order id)
EDIT(3):
Google just replied me, and GPA.1234-5678-9012-34567 is the final form of the order play. They told me to not using merchant id to check the purchase, and should use the purchase token instead. No technical support is available currently. I still haven't found the best way to solve this though.
And to verify if the purchase is valid, they told me to not use the order Id, but the purchase token, using the google API for server side verification.
It's more complex but seems can prevent Freedom hack: https://github.com/soomla/android-store/issues/47
*sorry for my bad English.
I don't know the reason of this change, and either how they informed us about this change. Checking the order id with our merchant id was a good way to avoid hacking.
Anyway, I been thinking fast to solve this situation and the only solution I see is to use the Google API to check that specific purchase.
https://developers.google.com/android-publisher/api-ref/purchases/products/get
Sending packageName, product id and the token, then checking if that purchase even exists or if the developerPayload is the same.
Please, correct me or give more ideas to fix this issue ASAP.
Cheers
