In-App purchases (IAP) and securing offline game play

BubblezapBubblezap Posts: 3Member
in General Development
Decoding a requestReceipts() response looks like the following

public void onSuccess(String receiptResponse) {
   JSONObject response = new JSONObject(receiptResponse);
   receipts = helper.decryptReceiptResponse(response, Config.getInstance().publicKey);
   for (Receipt r : receipts) {
      // Validate the game was purchased
   }
}

For offline game play it would be advantageous to save the String 'recieptResponse' in a local file which could be loaded and passed to the decriptReceiptResponse() when network connectivity is unavailable. Together with the public key provided this provides decent protection against pirates modifying the local file. However if the receipts response does not tie the receipts to a particular user or console then simply copying the local file to another ouya console would allow anyone with the file full access to the game without payment.

Does the requestReceipts() response include user specific information and does decriptReceiptResponse() validate the response data is only valid for the currently logged in ouya user or console?

Comments

  • BubblezapBubblezap Posts: 3Member
    After some experimentation, it appears either 'receiptResponse' does NOT include user specific information or decriptReceiptResponse() fails to validate this information. Can we get some Input from Ouya on this? 1. Does Ouya have plans to make offline receipt validation simpler? 2. Are there currently any methods of validating receipts offline in a secure manner? According to this link http://www.reddit.com/r/ouya/comments/1hco8t/took_my_ouya_to_a_major_fighting_game_tournament/ Tower Fall allows for offline validation, and the developer indicated he was in communication with Ouya on how to properly implement this. Is there some insight from ouya or the developer might share? Thanks
Sign In or Register to comment.