sample app引用的the Google Developers guide有一个名为verifyValidSignature()的方法,在BillingManager类中显示如下:
/**
* Verifies that the purchase was signed correctly for this developer's public key.
*
* Note: It's strongly recommended to perform such check on your backend since hackers can
* replace this method with "constant true" if they decompile/rebuild your app.
*/
private boolean verifyValidSignature(String signedData, String signature) {
try {
return Security.verifyPurchase(BASE_64_ENCODED_PUBLIC_KEY, signedData, signature);
} catch (IOException e) {
Log.e(TAG, "Got an exception trying to validate a purchase: " + e);
return false;
}
}
“对您的后端执行此类检查”究竟是什么意思?后端是什么?
此方法从此方法调用(也在BillingManager中):
private void handlePurchase(Purchase purchase) {
if (!verifyValidSignature(purchase.getOriginalJson(), purchase.getSignature())) {
Log.i(TAG, "Got a purchase: " + purchase + "; but signature is bad. Skipping...");
return;
}
Log.d(TAG, "Got a verified purchase: " + purchase);
mPurchases.add(purchase);
}
我真的不明白我应该对所说的后端做什么,就是阻止攻击者简单地移除
if (!verifyValidSignature(purchase.getOriginalJson(), purchase.getSignature())) {
Log.i(TAG, "Got a purchase: " + purchase + "; but signature is bad. Skipping...");
return;
}
与verifyValidSignature()的JavaDoc警告一样轻松,将verifyValidSignature() 替换为“常量真实”。
如何阻止攻击者反编译我的应用并替换某些内容以绕过我的应用内购买检查?