Google Developers 指南引用的示例应用程序有一个在类中调用的方法,如下所示:verifyValidSignature()BillingManager
/**
* Verifies that the purchase was signed correctly for this developer's public key.
*
* Note: It's strongly recommended to perform such check on your backend since hackers can
* replace this method with "constant true" if they decompile/rebuild your app.
*/
private boolean verifyValidSignature(String signedData, String signature) {
try {
return Security.verifyPurchase(BASE_64_ENCODED_PUBLIC_KEY, signedData, signature);
} catch (IOException e) {
Log.e(TAG, "Got an exception trying to validate a purchase: " + e);
return false;
}
}
“在您的后端执行此类检查”究竟是什么意思?什么后台?
从此方法调用此方法(也在 中BillingManager):
private void handlePurchase(Purchase purchase) {
if (!verifyValidSignature(purchase.getOriginalJson(), purchase.getSignature())) {
Log.i(TAG, "Got a purchase: " + purchase + "; but signature is bad. Skipping...");
return;
}
Log.d(TAG, "Got a verified purchase: " + purchase);
mPurchases.add(purchase);
}
我真的不明白我应该在所说的后端做什么,那就是阻止攻击者简单地删除
if (!verifyValidSignature(purchase.getOriginalJson(), purchase.getSignature())) {
Log.i(TAG, "Got a purchase: " + purchase + "; but signature is bad. Skipping...");
return;
}
就像用JavaDoc for warns替换verifyValidSignature() “constant true”一样容易。verifyValidSignature()
我将如何阻止攻击者反编译我的应用程序并替换某些内容以绕过我的应用内购买检查?