I have an app that i want to use google pay for only 1 non-consumable upgrade , I use below code to get status of my google play purchase
override fun onPurchasesUpdated(
billingResult: BillingResult?,
purchases: MutableList<Purchase>?
) {
if (billingResult?.responseCode == BillingClient.BillingResponseCode.OK && purchases != null) {
for (purchase in purchases) {
handlePurchase(purchase)
// set user preference bool value if status is purchased
}
}
}
and set the bool preference to true to hide ads , from google here
https://developer.android.com/google/play/billing/billing_library_overview
In section Verify a purchase They say
Note: It's highly recommended to verify purchase details using a secure backend server that you trust. When a server isn’t an option, you can perform less-secure validation within your app.
my question is
Is that a usual practice or i should use a server to verify from reverse engineering and if so Wouldn't that happen also with the server ?
Is that a usual practice or I should use a server to verify from reverse engineering?
It is a good practice, but it is not a usual practice.
What I mean is not everybody can afford a private server. Sometimes you have an offline app, and you offer in-app purchases just to unlock a few other features and you don't want to get into the hassle of having a private server just for the sake of it. It depends:
Is your app is extremely popular with thousands of DAU?
Are you unlocking some really useful features, that if 1% of users are using a modded version of your app, it will really justify the server costs? Most of the time it does not.
and if so Wouldn't that happen also with the server?
Yes, it can, the server is just another layer of security.
I would suggest hiding your public key using NDK which is harder to reverse engineer and you should be quite safe.
You can find the tutorial here