At SpeakingPal we offer our apps for free, and provide customers ways to extend content availability via in-app purchase.

In our case, in-app purchase is build from two parts: the first, is the client's  integration with the device's apps services (AppStore in iOS, Market in Android), the second is the server-side verification of the in-app receipt, avoiding trickery of the client's app.

Client-side code samples are in abundance, and usually are very well documented (well, of course, the OS vendor wants to get paid, no?). But the other side, the server-side, is not well documented and lack samples, although considered a best-practice.


Android dev-site suggests making the in-app verification at the server-side as safer, but does not provide any code sample.
Google method of in-app verification is via digital signatures verification: You provide a nonce, they give you a receipt with that nonce prefixed and a RSA-SHA1 signature on that text. The key used for signing is defined in your Market developer console. With that public key, the signed receipt and the signature, you can verify that the receipt is real, that is, produced by the Market service.

Verifying an RSA-SHA1 signature is simple in PHP, but tricky. Here is a working code:


Apple went with something else; verifying the AppStore receipt is done by asking iTunes' servers whether a receipt is real: after in-app is done, device's AppStore service gives you a base64 encoded receipt, which you'll send to iTunes' servers, and get a json response about the validity of the receipt. Here's a snippet:


PayPal actually provide all the information you need, in several programming languages, i.e., IPN verification. I see no reason to paste here snippets.


blog comments powered by Disqus