YES, I read all the docs @ developer.android.com docs, and I understand everything with one major exception - what was it introduced for.
Since all responses to requests from Google Play are signed with a private key that is inaccessible to the user and checked with a pair of public keys (in my case, on an external server, therefore it is also inaccessible to a third party), itβs easy (almost) not to cheat in any way.
All of these nonces are just a redundant way to secure purchases. And what else, the documents do not say anything about the situation when:
- I buy goods;
- Create nonce and send it to Google Play;
- You have a failure, so all of my famous notes are lost;
- Rebooted my application and received a callback from Google Play;
- ... And reject this call because it did not recognize nonce!
In the situation described above, the user pays for the item and never receives it, which is shameful. Of course, I can store nonces in some kind of file and reread it when my application returns, but it violates all principles for nonces.
IMHO, someone just said: "Hey, the verification process is too simple, let it add something else by chance, it will be more great!". So someone did.
Or, could you open my mind to some other precedent? Otherwise, I remove the nonces part from my code.
source
share