Google IAP returns short purchase token for verification(Google IAP 返回短购令牌以供验证)
问题描述
我已经实现了服务器端验证 Google IAP 购买令牌.我的移动应用程序将这个令牌发送给我,因为它是从 Google 获取的.
一个普通的令牌看起来像
但有时我会得到这样的短标记 当我通过 Google Play Developer API 验证此令牌时:https://www.googleapis.com/androidpublisher/v2/applications/packageName/purchases/subscriptions/subscriptionId/tokens/token,对于短令牌我收到 404 错误. 问题出在哪里?这个短token有没有可能代表真实的交易? 我一直在我们的应用程序中收到这些相同的无效令牌,但不知道是什么原因.令牌有多种格式,包括 24 个字母字符(例如 这些是我从 应用内结算 API 收到的错误消息一次或多次使用各种令牌: Marc Greenstock 给出的答案给了我一个尝试重现该问题的想法. 我在有根设备上测试了两个声称可以破解应用内购买的应用:Freedom 和 Lucky Patcher.前者不起作用:虽然它检测到我们的应用程序可以进行购买,但当我尝试制作一个假的时,它告诉我这个应用程序的购买不能被伪造".然而,后一个 确实 在经过一番摆弄之后工作,并生成了一个与问题完全相同的短期购买令牌.当我尝试通过 in-app billing API 验证令牌时,我收到了完全相同的像以前一样的无效令牌"消息. 我还开始使用此方法记录生成无效令牌的设备的根状态.虽然这并不能证明任何事情,但几乎所有无效令牌都来自根植设备这一事实让我怀疑是犯规. 我相信攻击的工作原理如下.对此有更多了解的朋友请多多指教! I have implemented server-side verification Google IAP purchase tokens. My mobile app send me this token as get it from Google. A regular token looks like but sometimes I get a short token like this When I verify this token via Google Play Developer API: https://www.googleapis.com/androidpublisher/v2/applications/packageName/purchases/subscriptions/subscriptionId/tokens/token, for the short token I get a 404 error. Where is the problem? Is it possible that this short token represents real transactions? I have been receiving these same invalid tokens in our app with no idea of the reason for a while. The tokens have come in various formats, including 24 alpha characters (eg. These are the error messages I have received from the in-app billing API for these various tokens at one time or another: The answer given by Marc Greenstock gave me an idea to try to reproduce the issue. I tested two apps that claim to hack in-app purchases: Freedom, and Lucky Patcher, on a rooted device. The former did not work: though it detected that our app can make purchases, when I tried to make a fake one it told me that "this app's purchases cannot be faked". The latter one did work after some fiddling, however, and generated a short purchase token exactly as in the question. When I tried to verify the token via the in-app billing API, I received the same exact "invalid token" message as before. I also started logging the root status of devices generating invalid tokens using this method. While this is not proof of anything, the fact that nearly all invalid tokens originated from rooted devices made me suspect foul play. I believe the attack works as follows. Anyone who knows more about this please chime in! 这篇关于Google IAP 返回短购令牌以供验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!minodojglppganfbiedlabed.AO-J1OyNtpooSraUdtKlZ_9gYs0o20ZF_0ryTNACmvaaaG5EwPX0hPruUdGbE3XejoXYCYzJA2xjjAxrDLFhmu9WC4fvTDNL-RDXCWjlHKpzLOigxCr1QhScXR8uXtX8R94iV6MM
korpimulxmslxissnschtkdb
glvnqnpjqslcagyimgxeuybk
)、15 个数字(例如 781871156762279
、查看这个问题),甚至是适当长度的令牌,其格式与有效令牌略有不同(例如.xdavcuvdnniwwrhwemleqjdz.rSQozm...
看到这个问题)."code": 404, "message": "未找到购买令牌."
"code": 400, "message": "无效值"
"code": 400, "message": "您的请求对该订阅购买无效."
进行欺诈性购买
攻击
Intent
用于合法服务缓解
minodojglppganfbiedlabed.AO-J1OyNtpooSraUdtKlZ_9gYs0o20ZF_0ryTNACmvaaaG5EwPX0hPruUdGbE3XejoXYCYzJA2xjjAxrDLFhmu9WC4fvTDNL-RDXCWjlHKpzLOigxCr1QhScXR8uXtX8R94iV6MmMHqD
korpimulxmslxissnschtkdb
glvnqnpjqslcagyimgxeuybk
), 15 digits (eg. 781871156762279
, see this question), and even tokens of proper length that have a slightly different format from valid ones (eg. xdavcuvdnniwwrhwemleqjdz.rSQozm...
see this question).
"code": 404, "message": "The purchase token was not found."
"code": 400, "message": "Invalid Value"
"code": 400, "message": "Your request is invalid for this subscription purchase."
Making a fraudulent purchase
The attack
Intent
which is meant for the legitimate serviceMitigation
本文标题为:Google IAP 返回短购令牌以供验证
基础教程推荐
- Android:对话框关闭而不调用关闭 2022-01-01
- 如何在 UIImageView 中异步加载图像? 2022-01-01
- UIWebView 委托方法 shouldStartLoadWithRequest:在 WKWebView 中等效? 2022-01-01
- 如何在没有IB的情况下将2个按钮添加到右侧的UINavigationbar? 2022-01-01
- 如何让对象对 Cocos2D 中的触摸做出反应? 2022-01-01
- android 应用程序已发布,但在 google play 中找不到 2022-01-01
- 在 gmail 中为 ios 应用程序检索朋友的朋友 2022-01-01
- Kivy Buildozer 无法构建 apk,命令失败:./distribute.sh -m “kivy"d 2022-01-01
- 当从同一个组件调用时,两个 IBAction 触发的顺序是什么? 2022-01-01
- 如何在 iPhone 上显示来自 API 的 HTML 文本? 2022-01-01