Method Detail

• verifyPurchase

   final Boolean verifyPurchase(String base64PublicKey, String signedData, String signature)

  Verifies that the data was signed with the given signature

  Parameters:

  base64PublicKey - the base64-encoded public key to use for verifying.

  signedData - the signed JSON string (signed, not encrypted)

  signature - the signature for the data, signed with the private key

• getBASE_64_ENCODED_PUBLIC_KEY

   final String getBASE_64_ENCODED_PUBLIC_KEY()

  BASE_64_ENCODED_PUBLIC_KEY should be YOUR APPLICATION'S PUBLIC KEY (that you got from the Google Play developer console, usually under Services & APIs tab). This is not your developer public key, it's the app-specific public key.

  Just like everything else in this class, this public key should be kept on your server. But if you don't have a server, then you should obfuscate your app so that hackers cannot get it. If you cannot afford a sophisticated obfuscator, instead of just storing the entire literal string here embedded in the program, construct the key at runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the actual key. The key itself is not secret information, but we don't want to make it easy for an attacker to replace the public key with one of their own and then fake messages from the server.