问题
During our efforts to design InApp Billing for our Android App, we came up with the following scenario;
- Customer has rooted/manipulatable device (so Market app + my app can't be trusted)
- Customer purchases a product
- Purchase state 0 (purchased) is send to our backoffice (all is checked and ok), we give credits.
- Customer refunds that purchase
- Customer has manipulated our app or the market app to locally confirm the refund and thereby prevent the refund notification to reach our backoffice server.
Is this scenario possible? How can we fix this?
回答1:
First: if the user asks for a refund you receive also an email.
Second: the purchases on in-app billing are not refundable directly by the user. If a user wants a refund, he must contact you and then you can proceed manually to refund with your google wallet account.
So i think that your scenario neve happen.
Secondly if possible i suggest you to use managed purchases, in that case if the user asks for a refund, google market will remember it, and you can use a RESTORE_TRANSACTION to check if some refunds occurred (but again: you must grant a refund).
来源:https://stackoverflow.com/questions/11190856/android-in-app-billing-security-issues