Skip to content Skip to sidebar Skip to footer
Home / Android / Google Play / In App Billing / In App Purchase

Invalid Short Purchase Tokens

Post a Comment
I have android app with subscription in-app purchase. Because I am using the subscription to deliver data from online service, I am using verification of purchase on server side vi

Solution 1:

I have received short purchase tokens in the same 15-digit format, and I believe that these are, in fact, attempts at fraudulent purchases.

It is not your app that is cracked. Rather, a user installs a special app onto a rooted device that performs a man-in-the-middle attack against your app, emulating the legitimate In-App Billing Service. When your app begins a purchase flow, this fraudulent app intercepts the purchase request, and returns a fake purchase token.

Apps that verify the token locally are vulnerable, because the same fraudulent app is used to verify the token.

Apps that send the token to the backend are probably safer, because the backend can make a request to the in-app billing API to verify the token independently. However, the app must wait for the backend verification to succeed before granting the user the purchased privileges.

Please see my other answer for more details on this attack.

Post a Comment for "Invalid Short Purchase Tokens"