Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd50e98c authored by quddusc's avatar quddusc Committed by Android Git Automerger
Browse files

am f634d6a2: am c0050433: Merge "docs: Added details about key/signature for... 

am f634d6a2: am c0050433: Merge "docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447" into jb-mr1.1-docs

* commit 'f634d6a2':
  docs: Added details about key/signature for IAB/Licensing docs. Bugs: 8338447
parents 1e8d22cc f634d6a2

docs/html/google/play/billing/billing_integrate.jd

+29 −0
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ parent.link=index.html 
       <li><a href="#Subs">Implementing Subscriptions</a><li>

       </ol>

    </li>

    <li><a href="#billing-security">Securing Your App</a>

  </ol>

  <h2>Reference</h2>

  <ol>
@@ -361,6 +362,34 @@ Bundle activeSubs = mService.getPurchases(3, "com.example.myapp", 
the user. Once a subscription expires without renewal, it will no longer appear 

in the returned {@code Bundle}.</p>



<h2 id="billing-security">Securing Your Application</h2>



<p>To help ensure the integrity of the transaction information that is sent to 

your application, Google Play signs the JSON string that contains the response 

data for a purchase order. Google Play uses the private key that is associated 

with your application in the Developer Console to create this signature. The 

Developer Console generates an RSA key pair for each application.<p>



<p class="note"><strong>Note:</strong>To find the public key portion of this key 

pair, open your application's details in the Developer Console, then click on 

<strong>Services & APIs</strong>, and look at the field titled 

<strong>Your License Key for This Application</strong>.</p>



<p>The Base64-encoded RSA public key generated by Google Play is in binary 

encoded, X.509 subjectPublicKeyInfo DER SEQUENCE format. It is the same public 

key that is used with Google Play licensing.</p>



<p>When your application receives this signed response you can 

use the public key portion of your RSA key pair to verify the signature. 

By performing signature verification you can detect responses that have 

been tampered with or that have been spoofed. You can perform this signature 

verification step in your application; however, if your application connects 

to a secure remote server then we recommend that you perform the signature 

verification on that server.</p>



<p>For more information about best practices for security and design, see <a

href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p>

docs/html/google/play/billing/billing_reference.jd

+3 −1
Original line number Diff line number Diff line
@@ -143,7 +143,9 @@ does not include tax.</td> 
  </tr>

  <tr>

    <td>{@code INAPP_DATA_SIGNATURE}</td>

    <td>String containing the signature of the purchase data that was signed with the private key of the developer.</td>

    <td>String containing the signature of the purchase data that was signed 

with the private key of the developer. The data signature uses the 

RSASSA-PKCS1-v1_5 scheme.</td>

  </tr>

</table>

</p>

docs/html/google/play/licensing/adding-licensing.jd

+16 −24
Original line number Diff line number Diff line
@@ -853,37 +853,39 @@ sample application calls <code>checkAccess()</code> from a 


<h3 id="account-key">Embed your public key for licensing</h3>



<p>For each publisher account, the Google Play service automatically

generates a  2048-bit RSA public/private key pair that is used exclusively for

licensing. The key pair is uniquely associated with the publisher account and is

shared across all applications that are published through the account. Although

associated with a publisher account, the key pair is <em>not</em> the same as

the key that you use to sign your applications (or derived from it).</p>

<p>For each application, the Google Play service automatically

generates a  2048-bit RSA public/private key pair that is used for 

licensing and in-app billing. The key pair is uniquely associated with the 

application. Although associated with the application, the key pair is 

<em>not</em> the same as the key that you use to sign your applications (or derived from it).</p>



<p>The Google Play Developer Console exposes the public key for licensing to any

developer signed in to the publisher account, but it keeps the private key

developer signed in to the Developer Console, but it keeps the private key

hidden from all users in a secure location. When an application requests a

license check for an application published in your account, the licensing server

signs the license response using the private key of your account's key pair.

signs the license response using the private key of your application's key pair.

When the LVL receives the response, it uses the public key provided by the

application to verify the signature of the license response. </p>



<p>To add licensing to an application, you must obtain your publisher account's

<p>To add licensing to an application, you must obtain your application's

public key for licensing and copy it into your application. Here's how to find

your account's public key for licensing:</p>

your application's public key for licensing:</p>



<ol>

<li>Go to the Google Play <a

href="http://play.google.com/apps/publish">Developer Console</a> and sign in.

Make sure that you sign in to the account from which the application you are

licensing is published (or will be published). </li>

<li>In the account home page, locate the "Edit profile" link and click it. </li>

<li>In the Edit Profile page, locate the "Licensing" pane, shown below. Your

public key for licensing is given in the "Public key" text box. </li>

<li>In the application details page, locate the <strong>Services & APIs</strong> 

link and click it. </li>

<li>In the <strong>Services & APIs</strong> page, locate the 

<strong>Licensing & In-App Billing</strong> section. Your public key for 

licensing is given in the 

<strong>Your License Key For This Application</strong> field. </li>

</ol>



<p>To add the public key to your application, simply copy/paste the key string

from the text box into your application as the value of the String variable

from the field into your application as the value of the String variable

<code>BASE64_PUBLIC_KEY</code>. When you are copying, make sure that you have

selected the entire key string, without omitting any characters. </p>
@@ -965,16 +967,6 @@ application that they have legitimately purchased on another device.</li> 
</ul>

</div>























<h2 id="app-obfuscation">Obfuscating Your Code</h2>



<p>To ensure the security of your application, particularly for a paid

docs/html/google/play/licensing/index.jd

+1 −1
Original line number Diff line number Diff line
@@ -16,7 +16,7 @@ restrict use of the application to a specific device, in addition to any other c 


<p>The licensing service is a secure means of controlling access to your applications. When an

application checks the licensing status, the Google Play server signs the licensing status

response using a key pair that is uniquely associated with the publisher account. Your application

response using a key pair that is uniquely associated with the application. Your application

stores the public key in its compiled <code>.apk</code> file and uses it to verify the licensing

status response.</p>

docs/html/google/play/licensing/licensing-reference.jd

+1 −1
Original line number Diff line number Diff line
@@ -186,7 +186,7 @@ licensing server, possibly because of network availability problems. </td> 
</tr>

<tr>

<td>{@code ERROR_SERVER_FAILURE}</td>

<td>Server error &mdash; the server could not load the publisher account's key

<td>Server error &mdash; the server could not load the application's key

pair for licensing.</td>

<td>No</td>

<td></td>