Google Play In-App Billing Server Purchase Verification

220px-Wutangclanprotectyaneck

My current project, PrēmoFM will feature In-App Billing.  I’ve successfully implemented Google Play In-App Billing v3, leaning a lot on the demo available at developer.android.com.  One major fallback of the example provided is on-device purchase verification (Google themselves recommend against on device purchase verification).  No matter how hard you try, Android apps are easily reverse engineered, allowing hackers to compromise your purchase verification logic.  They could spoof purchase interactions and gain access to IAB protected content and features for free.

I implemented my purchase verification using my Node.js-based API server.  When purchase data is returned from Google Play, I send it to my API server for immediate verification.  Once it’s been verified (or not) a response is sent back to the app, unlocking the content or feature.  Here is, more or less, how I verify purchases in Node.js.  It uses Node.js crypto library.