Faking a signed string for Google Android In-App purchase
العربية
български
català
中文
čeština
dansk
Nederlands
eesti
suomi
français
Deutsch
Ελληνικά
עברית
हिंदी
magyar
Bahasa Indonesia
italiano
日本語
한국어
latviešu
lietuvių
norsk
polski
Português
română
русский
slovenčina
slovenski
español
svenska
ไทย
Türkçe
українська
Tiếng Việt
I am verifying a signed string from Android inapp purchases, I know enough to have written a server based independent verification to check that the string is signed with my public key and the private key sent in the JSON response, thats fine. Where my knowledge is lacking, wouldn't it be possible for people, if they have access to my public key, to be able to sign a string with a private key and send a response to my external server, which would successfully validate?
I am probably missing something, but on my iPhone app I contact Apple, they contact the app back, I contact my server with apples response, it contacts apple and independantly verifies the response, I do the same for my WP7 app with PayPal, with Google, I am not connecting to Google to verify the string, I am just checking the string is signed with my Keys, is this truly enough?
Thanks
Answer |
In short, no. You can read up on RSA if you have the time, but the whole point of asymmetric algorithms (where the key you encrypt/sign is different from the one you decrypt/verify with), is that is practically impossible to figure out the other half of the key if you only have one. Thus, if someone has your public key, you can be pretty sure they cannot produce the private one. Alternatively, if they just generate a new key, when you verify the signature, you will get a verification error.
If your nonces are truly random and really only used once, they cannot replay the same message either, so you should be reasonably safe. (assuming there are no implementation problems)
What you should be more worried about is people using bytecode patching tools to bypass the whole validation process and just return true from the isLicensed() method.