IAP

stolkstolk Posts: 119Member
in ODK (OUYA Developer Kit)
From the 0.06 IAP example code:
receipts = helper.decryptReceiptResponse(receiptResponse, APPLICATION_KEY);

The docs are old though, and describe 0.05 ODK:
receipts = helper.decryptReceiptResponse(receiptResponse);

And they mention:
 In the future, we will encourage developers to avoid using the decryptReceiptResponse method.

My questions:

When is the final iteration for IAP framework expected?
It's cutting too close to launch date.

Where can I find my application key?

   Bram

Comments

  • KonajuGamesKonajuGames Posts: 560Member
    To generate an application key, go to your developer portal and click "Games".  Start an upload, but don't add an apk.  This will generate an application key.
  • KonajuGamesKonajuGames Posts: 560Member
    I'm curious where exactly you found the documentation about avoiding the use of decryptReceiptResponse.  I can't find it in the javadoc or the IAP sample.  The javadoc in 0.0.6 aren't out of date and describe decryptReceiptResponse correctly with the application key parameter.
  • stolkstolk Posts: 119Member
    KonajuGames said:
    To generate an application key, go to your developer portal and click "Games".  Start an upload, but don't add an apk.  This will generate an application key.
    Is that the der.key file?
  • stolkstolk Posts: 119Member
    KonajuGames said:
    I'm curious where exactly you found the documentation about avoiding the use of decryptReceiptResponse.  I can't find it in the javadoc or the IAP sample.  The javadoc in 0.0.6 aren't out of date and describe decryptReceiptResponse correctly with the application key parameter.
    https://devs.ouya.tv/developers/docs/purchasing
  • KonajuGamesKonajuGames Posts: 560Member
    I believe it is the contents of the der.key file.  I used Hexplorer to save it in a manner suitable for inclusion in my code.

    Ok, so those docs say that we will be given a stock implementation of decryption and we will include the provided code in our own app so it is more difficult for a hacker to remove.  It will come in time.
  • stolkstolk Posts: 119Member
    edited February 2013
    To be clear: I just checked again, and today, still, the receipts are not encrypted, so the path to decryptReceiptResponse() is not used. Instead it is passed to parseJSONReceiptResponse() which does not do encryption.

    The FAQ at ouya.tv mentions that the backers will get their units in March.
    That's cutting it really close: APIs should have been finalized by now, so that rigorous QA can start.

    There is no guide on how to use the DER file. Doing a hexdump and using that as-is sounds sketchy to me. I'll be surprised if that works.

    Post edited by stolk on
  • KonajuGamesKonajuGames Posts: 560Member
    The response I got started with the text "ENCRYPTED" followed by the "{" that the sample code looks for to flag it as not encrypted.  I find that strange, but we'll find out more soon enough.

    The key.der file is a binary blob.  The appKey parameter takes a byte array.  From previous experience using encryption keys, it is an educated guess.

    I have all faith in the team at OUYA Inc working as hard as they can to get the API finalized along with production of the device.  In a perfect world, sure the API might be finalized already.
  • goodhustlegoodhustle Posts: 144Member
    From what I've seen the key isn't used yet. I'm sure we'll hear more about it soon, but in the end, a Server Product Model-style solution with a receipt validator endpoint will be a much more effective way to address potential cracking of the IAP flow.
    Beast Boxing Turbo - OUYA Launch Title!
Sign In or Register to comment.