Android InApp Billing - what are really nonces for?

Question

YES, I\'ve read all the docs @ developer.android.com and I do understand it all with one basic exception - what it was introduced for.

Since all order responses from Goo

Answer 1

You don't need to store the nonce 'to disk' to account for an app crash.

When your app crashes yes you will lose your list of known nonces. However when your app restarts and you receive an IN_APP_NOTIFY you then have to do another GET_PURCHASE_INFORMATION when you do this GET_PURCHASE_INFORMATION you will generate a new nonce and add it to the list known nonces.

What you have to remember is the nonce is one per GET_PURCHASE_INFORMATION (which returns you multiple purchased items) not one nonce per item that is bought.

AS you've said you've implemented your own way to avoid Replay Attacks, but using a nonce is once such secure method