• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=Implementing In-app Billing <span style="font-size:16px;">(IAB Version 2)</span>
2excludeFromSuggestions=true
3@jd:body
4
5<p class="caution" style=
6"background-color:#fffdeb;width:100%;margin-bottom:1em;padding:.5em;">
7  The <strong>In-app Billing Version 2 API</strong> has been deprecated in
8  favor of the Version 3 API. If your app is using In-app Billing, please
9  <strong>make sure that it is using the Version 3 API</strong>. If your app is
10  still using the Version 2 API, you must <strong>migrate to the Version 3 API
11  as soon as possible</strong>.<br>
12  <br>
13  We plan to turn off the In-app Billing Version 2 service on <strong>January
14  27, 2015</strong>, after which time users will <strong>no longer be able to
15  purchase in-app items and subscriptions through the Version 2 API</strong>.
16  We strongly encourage and recommend you migrate your apps to use Version 3
17  API by November 2014, to provide ample time for users to update their apps to
18  the new version.<br>
19  <br>
20  For more information, please see the <a href=
21  "http://support.google.com/googleplay/android-developer/answer/6090268">Help Center
22  article</a>. For common questions about transitioning your implementation to
23  In-app Billing Version 3, please see <a href=
24  "{@docRoot}google/play/billing/billing_overview.html#migration">Migration
25  Considerations</a>.
26</p>
27    <div id="qv-wrapper" style="margin-top:0;">
28<div id="qv">
29  <h2>In this document</h2>
30  <ol>
31    <li><a href="#billing-download">Downloading the Sample</a></li>
32    <li><a href="#billing-add-aidl">Adding the AIDL file to your project</a></li>
33    <li><a href="#billing-permission">Updating Your Manifest</a></li>
34    <li><a href="#billing-service">Creating a Service</a></li>
35    <li><a href="#billing-broadcast-receiver">Creating a BroadcastReceiver</a></li>
36    <li><a href="#billing-security">Securing Your App</a></li>
37    <li><a href="#billing-implement">Modifying Your Application Code</a></li>
38  </ol>
39  <h2>Downloads</h2>
40  <ol>
41    <li><a href="#billing-download">Sample Application (V2)</a></li>
42  </ol>
43</div>
44</div>
45
46<p>This document helps you implement In-app Billing Version 2 by stepping through the primary
47implementation tasks, using the sample application as an example.</p>
48
49<p>Before you implement in-app billing in your own application, be sure that you read <a
50href="{@docRoot}google/play/billing/v2/api.html">Overview of In-app Billing Version 2</a> and <a
51href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>. These
52documents provide background information that will make it easier for you to implement in-app
53billing.</p>
54
55<p>To implement in-app billing in your application, you need to do the following:</p>
56<ol>
57  <li><a href="#billing-download">Download the in-app billing sample application</a>.</li>
58  <li><a href="#billing-add-aidl">Add the IMarketBillingService.aidl file</a> to your project.</li>
59  <li><a href="#billing-permission">Update your AndroidManifest.xml file</a>.</li>
60  <li><a href="#billing-service">Create a Service</a> and bind it to the
61  <code>MarketBillingService</code> so your application can send billing requests and receive
62  billing responses from Google Play.</li>
63  <li><a href="#billing-broadcast-receiver">Create a BroadcastReceiver</a> to handle broadcast
64  intents from Google Play.</li>
65  <li><a href="#billing-signatures">Create a security processing component</a> to verify the
66  integrity of the transaction messages that are sent by Google Play.</li>
67  <li><a href="#billing-implement">Modify your application code</a> to support in-app billing.</li>
68</ol>
69
70<h2 id="billing-download">Downloading the Sample Application</h2>
71
72<p>The in-app billing sample application shows you how to perform several tasks that are common to
73all in-app billing implementations, including:</p>
74
75<ul>
76  <li>Sending in-app billing requests to Google Play.</li>
77  <li>Handling synchronous responses from Google Play.</li>
78  <li>Handling broadcast intents (asynchronous responses) from Google Play.</li>
79  <li>Using in-app billing security mechanisms to verify the integrity of billing responses.</li>
80  <li>Creating a user interface that lets users select items for purchase.</li>
81</ul>
82
83<p>The sample application includes an application file (<code>Dungeons.java</code>), the AIDL file
84for the <code>MarketBillingService</code> (<code>IMarketBillingService.aidl</code>), and several
85classes that demonstrate in-app billing messaging. It also includes a class that demonstrates basic
86security tasks, such as signature verification.</p>
87
88<p>Table 1 lists the source files that are included with the sample application.</p>
89<p class="table-caption" id="source-files-table"><strong>Table 1.</strong> In-app billing sample
90application source files.</p>
91
92<table>
93<tr>
94<th>File</th>
95<th>Description</th>
96</tr>
97
98<tr>
99<td>IMarketBillingService.aidl</td>
100<td>Android Interface Definition Library (AIDL) file that defines the IPC interface to Google
101Play's in-app billing service (<code>MarketBillingService</code>).</td>
102</tr>
103
104<tr>
105<td>Dungeons.java</td>
106<td>Sample application file that provides a UI for making purchases and displaying purchase
107history.</td>
108</tr>
109
110<tr>
111<td>PurchaseDatabase.java</td>
112<td>A local database for storing purchase information.</td>
113</tr>
114
115<tr>
116  <td>BillingReceiver.java</td>
117  <td>A {@link android.content.BroadcastReceiver} that receives asynchronous response messages
118  (broadcast intents) from Google Play. Forwards all messages to the
119  <code>BillingService</code>.</td>
120</tr>
121<tr>
122  <td>BillingService.java</td>
123  <td>A {@link android.app.Service} that sends messages to Google Play on behalf of the
124  application by connecting (binding) to the <code>MarketBillingService</code>.</td>
125</tr>
126
127<tr>
128  <td>ResponseHandler.java</td>
129  <td>A {@link android.os.Handler} that contains methods for updating the purchases database and the
130  UI.</td>
131</tr>
132
133<tr>
134  <td>PurchaseObserver.java</td>
135  <td>An abstract class for observing changes related to purchases.</td>
136</tr>
137
138<tr>
139<td>Security.java</td>
140<td>Provides various security-related methods.</td>
141</tr>
142
143<tr>
144<td>Consts.java</td>
145<td>Defines various Google Play constants and sample application constants. All constants that
146are defined by Google Play must be defined the same way in your application.</td>
147</tr>
148
149<tr>
150<td>Base64.java and Base64DecoderException.java</td>
151<td>Provides conversion services from binary to Base64 encoding. The <code>Security</code> class
152relies on these utility classes.</td>
153</tr>
154
155</table>
156
157<p>The in-app billing sample application is available as a downloadable component of the Android
158SDK. To download the sample application component, launch the Android SDK Manager and then
159select the <strong>Google Market Billing package</strong> component (see figure 1), and click <strong>Install
160Selected</strong> to begin the download.</p>
161
162
163<img src="{@docRoot}images/billing_package.png" height="325" id="figure1" />
164<p class="img-caption">
165  <strong>Figure 1.</strong> The Google Market Billing package contains the sample application and
166  the AIDL file.
167</p>
168
169<p>When the download is complete, the Android SDK Manager saves the component into the
170following directory:</p>
171
172<p><code>&lt;sdk&gt;/extras/google/market_billing/</code></p>
173
174<p>If you want to see an end-to-end demonstration of in-app billing before you integrate in-app
175billing into your own application, you can build and run the sample application. Building and
176running the sample application involves three tasks:</p>
177
178<ul>
179  <li>Configuring and building the sample application.</li>
180  <li>Uploading the sample application to Google Play.</li>
181  <li>Setting up test accounts and running the sample application.</li>
182</ul>
183
184<p class="note"><strong>Note:</strong> Building and running the sample application is necessary only
185if you want to see a demonstration of in-app billing. If you do not want to run the sample
186application, you can skip to the next section, <a href="#billing-add-aidl">Adding the AIDL file to
187your project</a>.</p>
188
189<h3>Configuring and building the sample application</h3>
190
191<p>Before you can run the sample application, you need to configure it and build it by doing the
192following:</p>
193
194<ol>
195  <li><strong>Add your app's public key to the sample application code.</strong>
196    <p>This enables the application to verify the signature of the transaction information that is
197    returned from Google Play. To add your public key to the sample application code, do the
198    following:</p>
199    <ol>
200      <li>Log in to your Google Play <a href="http://play.google.com/apps/publish">Developer
201      console</a>.</li>
202      <li>On the upper left part of the page, All Applications, click the application name.</strong>.</li>
203      <li>On the Edit Profile page, scroll down to the <strong>Licensing &amp; In-app
204      Billing</strong> panel.</li>
205      <li>Copy your public key.</li>
206      <li>Open <code>src/com/example/dungeons/Security.java</code> in the editor of your choice.
207        <p>You can find this file in the sample application's project folder.</p>
208      </li>
209      <li>Add your public key to the following line of code:
210        <p><code>String base64EncodedPublicKey = "your public key here";</code></p>
211      </li>
212      <li>Save the file.</li>
213    </ol>
214  </li>
215  <li><strong>Change the package name of the sample application.</strong>
216    <p>The current package name is <code>com.example.dungeons</code>. Google Play does not let
217    you upload applications with package names that contain <code>com.example</code>, so you must
218    change the package name to something else.</p>
219  </li>
220  <li><strong>Build the sample application in release mode and sign it.</strong>
221    <p>To learn how to build and sign applications, see <a
222    href="{@docRoot}tools/building/index.html">Building and Running</a>.</p>
223  </li>
224</ol>
225
226<h3>Uploading the sample application</h3>
227
228<p>After you build a release version of the sample application and sign it, you need to upload it as
229a draft to the Google Play Developer Console. You also need to create a product list for the in-app
230items that are available for purchase in the sample application. The following instructions show you
231how to do this.</p>
232
233<p class="caution"><strong>Caution:</strong> Draft applications are no longer
234supported. To test an application, publish it in the <a
235href="{@docRoot}distribute/googleplay/developer-console.html#alpha-beta">alpha
236or beta channels</a>. For more information, see <a
237href="{@docRoot}google/play/billing/billing_testing.html#draft_apps">Draft Apps
238are No Longer Supported</a>.</p>
239
240<ol>
241  <li><strong>Upload the release version of the sample application to Google Play.</strong>
242    <p>Do not publish the sample application; leave it as an unpublished draft application. The
243    sample application is for demonstration purposes only and should not be made publicly available
244    on Google Play. To learn how to upload an application to Google Play, see <a
245    href="http://support.google.com/googleplay/android-developer/bin/answer.py?hl=en&answer=113469">Uploading
246    applications</a>.</p>
247  </li>
248  <li><strong>Create a product list for the sample application.</strong>
249    <p>The sample application lets you purchase two items: a two-handed sword
250    (<code>sword_001</code>) and a potion (<code>potion_001</code>). We recommend that you set up
251    your product list so that <code>sword_001</code> has a purchase type of "Managed per user
252    account" and <code>potion_001</code> has a purchase type of "Unmanaged" so you can see how these
253    two purchase types behave. To learn how to set up a product list, see <a
254    href="{@docRoot}google/play/billing/billing_admin.html#billing-list-setup">Creating a Product
255    List</a>.</p>
256    <p class="note"><strong>Note:</strong> You must publish the items in your product
257    list (<code>sword_001</code> and <code>potion_001</code>) even though you are not publishing the
258    sample application. Also, you must have a Google Wallet merchant account to add items to the
259    sample application's product list.</p>
260  </li>
261</ol>
262
263<h3>Running the sample application</h3>
264
265<p>You cannot run the sample application in the emulator. You must install the sample application
266onto a device to run it. To run the sample application, do the following:</p>
267
268<ol>
269  <li><strong>Make sure you have at least one test account registered under your Google Play
270  publisher account.</strong>
271    <p>You cannot purchase items from yourself (Google Wallet prohibits this), so you need to
272    create at least one test account that you can use to purchase items in the sample application.
273    To learn how to set up a test account, see <a
274    href="{@docRoot}google/play/billing/billing_testing.html#billing-testing-setup">Setting up Test
275    Accounts</a>.</p>
276  </li>
277  <li><strong>Verify that your device is running a supported version of the Google Play
278  application or the MyApps application.</strong>
279    <p>If your device is running Android 3.0, in-app billing requires version 5.0.12 (or higher) of
280    the MyApps application. If your device is running any other version of Android, in-app billing
281    requires version 2.3.4 (or higher) of the Google Play application. To learn how to check the
282    version of the Google Play application, see <a
283    href="http://market.android.com/support/bin/answer.py?answer=190860">Updating Google
284    Play</a>.</p>
285  </li>
286  <li><strong>Install the application onto your device.</strong>
287    <p>Even though you uploaded the application to Google Play, the application is not published,
288    so you cannot download it from Google Play to a device. Instead, you must install the
289    application onto your device. To learn how to install an application onto a device, see <a
290    href="{@docRoot}tools/building/building-cmdline.html#RunningOnDevice">Running on a
291    device</a>.</p>
292 </li>
293 <li><strong>Make one of your test accounts the primary account on your device.</strong>
294    <p>The primary account on your device must be one of the <a
295    href="{@docRoot}google/play/billing/billing_admin.html#billing-testing-setup">test accounts</a>
296    that you registered on the Google Play Developer Console. If the primary account on your device is not a
297    test account, you must do a factory reset of the device and then sign in with one of your test
298    accounts. To perform a factory reset, do the following:</p>
299    <ol>
300      <li>Open Settings on your device.</li>
301      <li>Touch <strong>Privacy</strong>.</li>
302      <li>Touch <strong>Factory data reset</strong>.</li>
303      <li>Touch <strong>Reset phone</strong>.</li>
304      <li>After the phone resets, be sure to sign in with one of your test accounts during the
305      device setup process.</li>
306    </ol>
307  </li>
308  <li><strong>Run the application and purchase the sword or the potion.</strong>
309    <p>When you use a test account to purchase items, the test account is billed through Google
310    Wallet and your Google Wallet merchant account receives a payout for the purchase.
311    Therefore, you may want to refund purchases that are made with test accounts, otherwise the
312    purchases will show up as actual payouts to your merchant account.</p>
313</ol>
314
315<p class="note"><strong>Note</strong>: Debug log messages are turned off by default in the
316sample application. You can turn them on by setting the variable <code>DEBUG</code>
317to <code>true</code> in the <code>Consts.java</code> file.</p>
318
319<h2 id="billing-add-aidl">Adding the AIDL file to your project</h2>
320
321<p>The sample application contains an Android Interface Definition Language (AIDL) file,  which
322defines the interface to Google Play's in-app billing service
323(<code>MarketBillingService</code>). When you add this file to your project, the Android build
324environment creates an interface file (<code>IMarketBillingService.java</code>). You can then use
325this interface to make billing requests by invoking IPC method calls.</p>
326
327<p>If you are using the ADT plug-in with Eclipse, you can just add this file to your
328<code>/src</code> directory. Eclipse will automatically generate the interface file when you build
329your project (which should happen immediately). If you are not using the ADT plug-in, you can put
330the AIDL file into your project and use the Ant tool to build your project so that the
331<code>IMarketBillingService.java</code> file gets generated.</p>
332
333<p>To add the <code>IMarketBillingService.aidl</code> file to your project, do the following:</p>
334
335<ol>
336  <li>Create the following directory in your application's <code>/src</code> directory:
337    <p><code>com/android/vending/billing/</code></p>
338  </li>
339  <li>Copy the <code>IMarketBillingService.aidl</code> file into the
340  <code>sample/src/com/android/vending/billing/</code> directory.</li>
341  <li>Build your application.</li>
342</ol>
343
344<p>You should now find a generated interface file named <code>IMarketBillingService.java</code> in
345the <code>gen</code> folder of your project.</p>
346
347<h2 id="billing-permission">Updating Your Application's Manifest</h2>
348
349<p>In-app billing relies on the Google Play application, which handles all communication between
350your application and the Google Play server. To use the Google Play application, your
351application must request the proper permission. You can do this by adding the
352<code>com.android.vending.BILLING</code> permission to your AndroidManifest.xml file. If your
353application does not declare the in-app billing permission, but attempts to send billing requests,
354Google Play will refuse the requests and respond with a <code>RESULT_DEVELOPER_ERROR</code>
355response code.</p>
356
357<p>In addition to the billing permission, you need to declare the {@link
358android.content.BroadcastReceiver} that you will use to receive asynchronous response messages
359(broadcast intents) from Google Play, and you need to declare the {@link android.app.Service}
360that you will use to bind with the <code>IMarketBillingService</code> and send messages to Google
361Play. You must also declare <a
362href="{@docRoot}guide/topics/manifest/intent-filter-element.html">intent filters</a> for the {@link
363android.content.BroadcastReceiver} so that the Android system knows how to handle the broadcast
364intents that are sent from the Google Play application.</p>
365
366<p>For example, here is how the in-app billing sample application declares the billing permission,
367the {@link android.content.BroadcastReceiver}, the {@link android.app.Service}, and the intent
368filters. In the sample application, <code>BillingReceiver</code> is the {@link
369android.content.BroadcastReceiver} that handles broadcast intents from the Google Play
370application and <code>BillingService</code> is the {@link android.app.Service} that sends requests
371to the Google Play application.</p>
372
373<pre>
374&lt;?xml version="1.0" encoding="utf-8"?&gt;
375&lt;manifest xmlns:android="http://schemas.android.com/apk/res/android"
376  package="com.example.dungeons"
377  android:versionCode="1"
378  android:versionName="1.0"&gt;
379
380  &lt;uses-permission android:name="com.android.vending.BILLING" /&gt;
381
382  &lt;application android:icon="@drawable/icon" android:label="@string/app_name"&gt;
383    &lt;activity android:name=".Dungeons" android:label="@string/app_name"&gt;
384      &lt;intent-filter&gt;
385        &lt;action android:name="android.intent.action.MAIN" /&gt;
386        &lt;category android:name="android.intent.category.LAUNCHER" /&gt;
387      &lt;/intent-filter&gt;
388    &lt;/activity&gt;
389
390    &lt;service android:name="BillingService" /&gt;
391
392    &lt;receiver android:name="BillingReceiver"&gt;
393      &lt;intent-filter&gt;
394        &lt;action android:name="com.android.vending.billing.IN_APP_NOTIFY" /&gt;
395        &lt;action android:name="com.android.vending.billing.RESPONSE_CODE" /&gt;
396        &lt;action android:name="com.android.vending.billing.PURCHASE_STATE_CHANGED" /&gt;
397      &lt;/intent-filter&gt;
398    &lt;/receiver&gt;
399
400  &lt;/application&gt;
401&lt;/manifest&gt;
402</pre>
403
404<h2 id="billing-service">Creating a Local Service</h2>
405
406<p>Your application must have a local {@link android.app.Service} to facilitate messaging between
407your application and Google Play. At a minimum, this service must do the following:</p>
408
409<ul>
410  <li>Bind to the <code>MarketBillingService</code>.
411  <li>Send billing requests (as IPC method calls) to the Google Play application. The five types
412  of billing requests include:
413    <ul>
414      <li><code>CHECK_BILLING_SUPPORTED</code> requests</li>
415      <li><code>REQUEST_PURCHASE</code> requests</li>
416      <li><code>GET_PURCHASE_INFORMATION</code> requests</li>
417      <li><code>CONFIRM_NOTIFICATIONS</code> requests</li>
418      <li><code>RESTORE_TRANSACTIONS</code> requests</li>
419    </ul>
420  </li>
421  <li>Handle the synchronous response messages that are returned with each billing request.</li>
422</ul>
423
424<h3>Binding to the MarketBillingService</h3>
425
426<p>Binding to the <code>MarketBillingService</code> is relatively easy if you've already added the
427<code>IMarketBillingService.aidl</code> file to your project. The following code sample shows how to
428use the {@link android.content.Context#bindService bindService()} method to bind a service to the
429<code>MarketBillingService</code>. You could put this code in your service's {@link
430android.app.Activity#onCreate onCreate()} method.</p>
431
432<pre>
433try {
434  boolean bindResult = mContext.bindService(
435    new Intent("com.android.vending.billing.MarketBillingService.BIND"), this,
436    Context.BIND_AUTO_CREATE);
437  if (bindResult) {
438    Log.i(TAG, "Service bind successful.");
439  } else {
440    Log.e(TAG, "Could not bind to the MarketBillingService.");
441  }
442} catch (SecurityException e) {
443  Log.e(TAG, "Security exception: " + e);
444}
445</pre>
446
447<p>After you bind to the service, you need to create a reference to the
448<code>IMarketBillingService</code> interface so you can make billing requests via IPC method calls.
449The following code shows you how to do this using the {@link
450android.content.ServiceConnection#onServiceConnected onServiceConnected()} callback method.</p>
451
452<pre>
453/**
454  * The Android system calls this when we are connected to the MarketBillingService.
455  */
456  public void onServiceConnected(ComponentName name, IBinder service) {
457    Log.i(TAG, "MarketBillingService connected.");
458    mService = IMarketBillingService.Stub.asInterface(service);
459  }
460</pre>
461
462<p>You can now use the <code>mService</code> reference to invoke the
463<code>sendBillingRequest()</code> method.</p>
464
465<p>For a complete implementation of a service that binds to the <code>MarketBillingService</code>,
466see the <code>BillingService</code> class in the sample application.</p>
467
468<h3>Sending billing requests to the MarketBillingService</h3>
469
470<p>Now that your {@link android.app.Service} has a reference to the
471<code>IMarketBillingService</code> interface, you can use that reference to send billing requests
472(via IPC method calls) to the <code>MarketBillingService</code>. The
473<code>MarketBillingService</code> IPC interface exposes a single public method
474(<code>sendBillingRequest()</code>), which takes a single {@link android.os.Bundle} parameter. The
475Bundle that you deliver with this method specifies the type of request you want to perform, using
476various key-value pairs. For instance, one key indicates the type of request you are making, another
477indicates the item being purchased, and another identifies your application. The
478<code>sendBillingRequest()</code> method immediately returns a Bundle containing an initial response
479code. However, this is not the complete purchase response; the complete response is delivered with
480an asynchronous broadcast intent. For more information about the various Bundle keys that are
481supported by the <code>MarketBillingService</code>, see <a
482href="{@docRoot}google/play/billing/v2/billing_reference.html#billing-interface">In-app Billing
483Service Interface</a>.</p>
484
485<p>You can use the <code>sendBillingRequest()</code> method to send five types of billing requests.
486The five request types are specified using the <code>BILLING_REQUEST</code> Bundle key. This Bundle
487key can have the following five values:</p>
488
489<ul>
490  <li><code>CHECK_BILLING_SUPPORTED</code>&mdash;verifies that the Google Play application
491  supports in-app billing and the version of the In-app Billing API available.</li>
492  <li><code>REQUEST_PURCHASE</code>&mdash;sends a purchase request for an in-app item.</li>
493  <li><code>GET_PURCHASE_INFORMATION</code>&mdash;retrieves transaction information for a purchase
494  or refund.</li>
495  <li><code>CONFIRM_NOTIFICATIONS</code>&mdash;acknowledges that you received the transaction
496  information for a purchase or refund.</li>
497  <li><code>RESTORE_TRANSACTIONS</code>&mdash;retrieves a user's transaction history for <a
498  href="{@docRoot}google/play/billing/billing_admin.html#billing-purchase-type">managed
499  purchases</a>.</li>
500</ul>
501
502<p>To make any of these billing requests, you first need to build an initial {@link
503android.os.Bundle} that contains the three keys that are required for all requests:
504<code>BILLING_REQUEST</code>, <code>API_VERSION</code>, and <code>PACKAGE_NAME</code>. The following
505code sample shows you how to create a helper method named <code>makeRequestBundle()</code> that does
506this.</p>
507
508<pre>
509protected Bundle makeRequestBundle(String method) {
510  Bundle request = new Bundle();
511  request.putString(BILLING_REQUEST, method);
512  request.putInt(API_VERSION, 1);
513  request.putString(PACKAGE_NAME, getPackageName());
514  return request;
515</pre>
516
517<p>To use this helper method, you pass in a <code>String</code> that corresponds to one of the five
518types of billing requests. The method returns a Bundle that has the three required keys defined. The
519following sections show you how to use this helper method when you send a billing request.</p>
520
521<p class="caution"><strong>Important</strong>: You must make all in-app billing requests from your
522application's main thread.</p>
523
524<h4>Verifying that in-app billing is supported (CHECK_BILLING_SUPPPORTED)</h4>
525
526<p>The following code sample shows how to verify whether the Google Play application supports
527in-app billing and confirm what version of the API it supports. In the sample, <code>mService</code>
528is an instance of the <code>MarketBillingService</code> interface.</p>
529
530<pre>
531/**
532* Request type is CHECK_BILLING_SUPPORTED
533*/
534  Bundle request = makeRequestBundle("CHECK_BILLING_SUPPORTED");
535  Bundle response = mService.sendBillingRequest(request);
536  // Do something with this response.
537}
538</pre>
539
540<p>The <code>makeRequestBundle()</code> method constructs an initial Bundle, which contains the
541three keys that are required for all requests: <code>BILLING_REQUEST</code>,
542<code>API_VERSION</code>, and <code>PACKAGE_NAME</code>. If you are offering subscriptions in
543your app, set the API_VERSION key to a value of "2", to confirm that In-app Billing v2 is
544available. For an example, see
545<a href="{@docRoot}google/play/billing/v2/billing_subscriptions.html#version">Subscriptions</a>.</p>
546
547<p>The <code>CHECK_BILLING_SUPPORTED</code> request returns a synchronous {@link
548android.os.Bundle} response, which contains only a single key: <code>RESPONSE_CODE</code>. The
549<code>RESPONSE_CODE</code> key can have the following values:</p>
550<ul>
551  <li><code>RESULT_OK</code>&mdash;the spedified version of in-app billing is supported.</li>
552  <li><code>RESULT_BILLING_UNAVAILABLE</code>&mdash;in-app billing is not available because the API
553  version you specified is not recognized or the user is not eligible to make in-app purchases (for
554  example, the user resides in a country that prohibits in-app purchases).</li>
555  <li><code>RESULT_ERROR</code>&mdash;there was an error connecting with the Google Play
556  application.</li>
557  <li><code>RESULT_DEVELOPER_ERROR</code>&mdash;the application is trying to make an in-app billing
558  request but the application has not declared the <code>com.android.vending.BILLING</code>
559  permission in its manifest. Can also indicate that an application is not properly signed, or that
560  you sent a malformed request.</li>
561</ul>
562
563<p>The <code>CHECK_BILLING_SUPPORTED</code> request does not trigger any asynchronous responses
564(broadcast intents).</p>
565
566<p>We recommend that you invoke the <code>CHECK_BILLING_SUPPORTED</code> request within a
567<code>RemoteException</code> block. When your code throws a <code>RemoteException</code> it
568indicates that the remote method call failed, which means that the Google Play application is out
569of date and needs to be updated. In this case, you can provide users with an error message that
570contains a link to the <a
571href="http://market.android.com/support/bin/answer.py?answer=190860">Updating Google Play</a>
572Help topic.</p>
573
574<p>The sample application demonstrates how you can handle this error condition (see
575<code>DIALOG_CANNOT_CONNECT_ID</code> in <code>Dungeons.java</code>).</p>
576
577<h4>Making a purchase request (REQUEST_PURCHASE)</h4>
578
579<p>To make a purchase request you must do the following:</p>
580
581<ul>
582  <li>Send the <code>REQUEST_PURCHASE</code> request.</li>
583  <li>Launch the {@link android.app.PendingIntent} that is returned from the Google Play
584  application.</li>
585  <li>Handle the broadcast intents that are sent by the Google Play application.</li>
586</ul>
587
588<h5>Making the request</h5>
589
590<p>You must specify four keys in the request {@link android.os.Bundle}. The following code sample
591shows how to set these keys and make a purchase request for a single in-app item. In the sample,
592<code>mProductId</code> is the Google Play product ID of an in-app item (which is listed in the
593application's <a href="{@docRoot}google/play/billing/billing_admin.html#billing-list-setup">product
594list</a>), and <code>mService</code> is an instance of the <code>MarketBillingService</code>
595interface.</p>
596
597<pre>
598/**
599* Request type is REQUEST_PURCHASE
600*/
601  Bundle request = makeRequestBundle("REQUEST_PURCHASE");
602  request.putString(ITEM_ID, mProductId);
603  // Request is for a standard in-app product
604  request.putString(ITEM_TYPE, "inapp");
605  // Note that the developer payload is optional.
606  if (mDeveloperPayload != null) {
607    request.putString(DEVELOPER_PAYLOAD, mDeveloperPayload);
608  }
609  Bundle response = mService.sendBillingRequest(request);
610  // Do something with this response.
611</pre>
612<p>The <code>makeRequestBundle()</code> method constructs an initial Bundle, which contains the
613three keys that are required for all requests: <code>BILLING_REQUEST</code>,
614<code>API_VERSION</code>, and <code>PACKAGE_NAME</code>. The <code>ITEM_ID</code> key is then added
615to the Bundle prior to invoking the <code>sendBillingRequest()</code> method.</p>
616
617<p>The request returns a synchronous {@link android.os.Bundle} response, which contains three keys:
618<code>RESPONSE_CODE</code>, <code>PURCHASE_INTENT</code>, and <code>REQUEST_ID</code>. The
619<code>RESPONSE_CODE</code> key provides you with the status of the request and the
620<code>REQUEST_ID</code> key provides you with a unique request identifier for the request. The
621<code>PURCHASE_INTENT</code> key provides you with a {@link android.app.PendingIntent}, which you
622can use to launch the checkout UI.</p>
623
624<h5>Using the pending intent</h5>
625
626<p>How you use the pending intent depends on which version of Android a device is running. On
627Android 1.6, you must use the pending intent to launch the checkout UI in its own separate task
628instead of your application's activity stack. On Android 2.0 and higher, you can use the pending
629intent to launch the checkout UI on your application's activity stack. The following code shows you
630how to do this. You can find this code in the <code>PurchaseObserver.java</code> file in the sample
631application.</p>
632
633<pre>
634void startBuyPageActivity(PendingIntent pendingIntent, Intent intent) {
635  if (mStartIntentSender != null) {
636    // This is on Android 2.0 and beyond.  The in-app checkout page activity
637    // will be on the activity stack of the application.
638    try {
639      // This implements the method call:
640      // mActivity.startIntentSender(pendingIntent.getIntentSender(),
641      //     intent, 0, 0, 0);
642      mStartIntentSenderArgs[0] = pendingIntent.getIntentSender();
643      mStartIntentSenderArgs[1] = intent;
644      mStartIntentSenderArgs[2] = Integer.valueOf(0);
645      mStartIntentSenderArgs[3] = Integer.valueOf(0);
646      mStartIntentSenderArgs[4] = Integer.valueOf(0);
647      mStartIntentSender.invoke(mActivity, mStartIntentSenderArgs);
648    } catch (Exception e) {
649      Log.e(TAG, "error starting activity", e);
650      }
651  } else {
652    // This is on Android 1.6. The in-app checkout page activity will be on its
653    // own separate activity stack instead of on the activity stack of
654    // the application.
655    try {
656      pendingIntent.send(mActivity, 0 /* code */, intent);
657    } catch (CanceledException e) {
658      Log.e(TAG, "error starting activity", e);
659      }
660  }
661}
662</pre>
663
664<p class="caution"><strong>Important:</strong> You must launch the pending intent from an activity
665context and not an application context. Also, you cannot use the <code>singleTop</code> <a
666href="{@docRoot}guide/topics/manifest/activity-element.html#lmode">launch mode</a> to launch the
667pending intent. If you do either of these, the Android system will not attach the pending intent to
668your application process. Instead, it will bring Google Play to the foreground, disrupting your
669application.</p>
670
671<h5>Handling broadcast intents</h5>
672
673<p>A <code>REQUEST_PURCHASE</code> request also triggers two asynchronous responses (broadcast
674intents). First, the Google Play application sends a <code>RESPONSE_CODE</code> broadcast intent,
675which provides error information about the request. If the request does not generate an
676error, the <code>RESPONSE_CODE</code> broadcast intent returns <code>RESULT_OK</code>, which
677indicates that the request was successfully sent. (To be clear, a <code>RESULT_OK</code> response
678does not indicate that the requested purchase was successful; it indicates that the request was sent
679successfully to Google Play.)</p>
680
681<p>Next, when the requested transaction changes state (for example, the purchase is successfully
682charged to a credit card or the user cancels the purchase), the Google Play application sends an
683<code>IN_APP_NOTIFY</code> broadcast intent. This message contains a notification ID, which you can
684use to retrieve the transaction details for the <code>REQUEST_PURCHASE</code> request.</p>
685
686<p class="note"><strong>Note:</strong> The Google Play application also sends
687an <code>IN_APP_NOTIFY</code> for refunds. For more information, see <a
688href="{@docRoot}google/play/billing/v2/api.html#billing-action-notify">Handling
689IN_APP_NOTIFY messages</a>.</p>
690
691<p>Because the purchase process is not instantaneous and can take several seconds (or more), you
692must assume that a purchase request is pending from the time you receive a <code>RESULT_OK</code>
693message until you receive an <code>IN_APP_NOTIFY</code> message for the transaction. While the
694transaction is pending, the Google Play checkout UI displays an "Authorizing purchase..."
695notification; however, this notification is dismissed after 60 seconds and you should not rely on
696this notification as your primary means of conveying transaction status to users. Instead, we
697recommend that you do the following:</p>
698
699<ul>
700  <li>Add an {@link android.app.Activity} to your application that shows users the status of pending
701and completed in-app purchases.</li>
702  <li>Use a <a href="{@docRoot}guide/topics/ui/notifiers/notifications.html">status
703bar notification</a> to keep users informed about the progress of a purchase.</li>
704</ul>
705
706<p>To use these two UI elements, you could invoke a status bar notification with a ticker-text
707message that says "Purchase pending" when your application receives a <code>RESULT_OK</code>
708message. Then, when your application receives an <code>IN_APP_NOTIFY</code> message, you could
709update the notification with a new message that says "Purchase succeeded" or "Purchase failed." When
710a user touches the expanded status bar notification, you could launch the activity that shows the
711status of pending and completed in-app purchases.</p>
712
713<p>If you use some other UI technique to inform users about the state of a pending transaction,
714be sure that your pending status UI does not block your application. For example, you should avoid
715using a hovering progress wheel to convey the status of a pending transaction because a pending
716transaction could last a long time, particularly if a device loses network connectivity and cannot
717receive transaction updates from Google Play.</p>
718
719<p class="caution"><strong>Important:</strong> If a user purchases a managed item, you must prevent
720the user from purchasing the item again while the original transaction is pending. If a user
721attempts to purchase a managed item twice, and the first transaction is still pending, Google
722Play will display an error to the user; however, Google Play will not send an error to your
723application notifying you that the second purchase request was canceled. This might cause your
724application to get stuck in a pending state while it waits for an <code>IN_APP_NOTIFY</code> message
725for the second purchase request.</p>
726
727<h4>Retrieving transaction information for a purchase or refund (GET_PURCHASE_INFORMATION)</h4>
728
729<p>You retrieve transaction information in response to an <code>IN_APP_NOTIFY</code> broadcast
730intent. The <code>IN_APP_NOTIFY</code> message contains a notification ID, which you can use to
731retrieve transaction information.</p>
732
733<p>To retrieve transaction information for a purchase or refund you must specify five keys in the
734request {@link android.os.Bundle}. The following code sample shows how to set these keys and make
735the request. In the sample, <code>mService</code> is an instance of the
736<code>MarketBillingService</code> interface.</p>
737
738<pre>
739/**
740* Request type is GET_PURCHASE_INFORMATION
741*/
742  Bundle request = makeRequestBundle("GET_PURCHASE_INFORMATION");
743  request.putLong(REQUEST_NONCE, mNonce);
744  request.putStringArray(NOTIFY_IDS, mNotifyIds);
745  Bundle response = mService.sendBillingRequest(request);
746  // Do something with this response.
747}
748</pre>
749<p>The <code>makeRequestBundle()</code> method constructs an initial Bundle, which contains the
750three keys that are required for all requests: <code>BILLING_REQUEST</code>,
751<code>API_VERSION</code>, and <code>PACKAGE_NAME</code>. The additional keys are then added to the
752bundle prior to invoking the <code>sendBillingRequest()</code> method. The
753<code>REQUEST_NONCE</code> key contains a cryptographically secure nonce (number used once) that you
754must generate. The Google Play application returns this nonce with the
755<code>PURCHASE_STATE_CHANGED</code> broadcast intent so you can verify the integrity of the
756transaction information. The <code>NOTIFY_IDS</code> key contains an array of notification IDs,
757which you received in the <code>IN_APP_NOTIFY</code> broadcast intent.</p>
758
759<p>The request returns a synchronous {@link android.os.Bundle} response, which contains two keys:
760<code>RESPONSE_CODE</code> and <code>REQUEST_ID</code>. The <code>RESPONSE_CODE</code> key provides
761you with the status of the request and the <code>REQUEST_ID</code> key provides you with a unique
762request identifier for the request.</p>
763
764<p>A <code>GET_PURCHASE_INFORMATION</code> request also triggers two asynchronous responses
765(broadcast intents). First, the Google Play application sends a <code>RESPONSE_CODE</code>
766broadcast intent, which provides status and error information about the request. Next, if the
767request was successful, the Google Play application sends a <code>PURCHASE_STATE_CHANGED</code>
768broadcast intent. This message contains detailed transaction information. The transaction
769information is contained in a signed JSON string (unencrypted). The message includes the signature
770so you can verify the integrity of the signed string.</p>
771
772<h4>Acknowledging transaction information (CONFIRM_NOTIFICATIONS)</h4>
773
774<p>To acknowledge that you received transaction information you send a
775<code>CONFIRM_NOTIFICATIONS</code> request. You must specify four keys in the request {@link
776android.os.Bundle}. The following code sample shows how to set these keys and make the request. In
777the sample, <code>mService</code> is an instance of the <code>MarketBillingService</code>
778interface.</p>
779
780<pre>
781/**
782* Request type is CONFIRM_NOTIFICATIONS
783*/
784  Bundle request = makeRequestBundle("CONFIRM_NOTIFICATIONS");
785  request.putStringArray(NOTIFY_IDS, mNotifyIds);
786  Bundle response = mService.sendBillingRequest(request);
787  // Do something with this response.
788}
789</pre>
790<p>The <code>makeRequestBundle()</code> method constructs an initial Bundle, which contains the
791three keys that are required for all requests: <code>BILLING_REQUEST</code>,
792<code>API_VERSION</code>, and <code>PACKAGE_NAME</code>. The additional <code>NOTIFY_IDS</code> key
793is then added to the bundle prior to invoking the <code>sendBillingRequest()</code> method. The
794<code>NOTIFY_IDS</code> key contains an array of notification IDs, which you received in an
795<code>IN_APP_NOTIFY</code> broadcast intent and also used in a <code>GET_PURCHASE_INFORMATION</code>
796request.</p>
797
798<p>The request returns a synchronous {@link android.os.Bundle} response, which contains two keys:
799<code>RESPONSE_CODE</code> and <code>REQUEST_ID</code>. The <code>RESPONSE_CODE</code> key provides
800you with the status of the request and the <code>REQUEST_ID</code> key provides you with a unique
801request identifier for the request.</p>
802
803<p>A <code>CONFIRM_NOTIFICATIONS</code> request triggers a single asynchronous response&mdash;a
804<code>RESPONSE_CODE</code> broadcast intent. This broadcast intent provides status and error
805information about the request.</p>
806
807<p>You must send a confirmation when you receive transaction information from Google Play. If you
808don't send a confirmation message, Google Play will continue sending
809<code>IN_APP_NOTIFY</code> messages for the transactions you have not confirmed. Also,
810your application must be able to handle <code>IN_APP_NOTIFY</code> messages that contain multiple
811orders.</p>
812
813<p>In addition, as a best practice, you should not send a <code>CONFIRM_NOTIFICATIONS</code> request
814for a purchased item until you have delivered the item to the user. This way, if your application
815crashes or something else prevents your application from delivering the product, your application
816will still receive an <code>IN_APP_NOTIFY</code> broadcast intent from Google Play indicating
817that you need to deliver the product.</p>
818
819<h4>Restoring transaction information (RESTORE_TRANSACTIONS)</h4>
820
821<p>To restore a user's transaction information, you send a <code>RESTORE_TRANSACTIONS</code>
822request. You must specify four keys in the request {@link android.os.Bundle}. The following code
823sample shows how to set these keys and make the request. In the sample, <code>mService</code> is an
824instance of the <code>MarketBillingService</code> interface.</p>
825
826<pre>
827/**
828* Request type is RESTORE_TRANSACTIONS
829*/
830  Bundle request = makeRequestBundle("RESTORE_TRANSACTIONS");
831  request.putLong(REQUEST_NONCE, mNonce);
832  Bundle response = mService.sendBillingRequest(request);
833  // Do something with this response.
834}
835</pre>
836<p>The <code>makeRequestBundle()</code> method constructs an initial Bundle, which contains the
837three keys that are required for all requests: <code>BILLING_REQUEST</code>,
838<code>API_VERSION</code>, and <code>PACKAGE_NAME</code>. The additional <code>REQUEST_NONCE</code>
839key is then added to the bundle prior to invoking the <code>sendBillingRequest()</code> method. The
840<code>REQUEST_NONCE</code> key contains a cryptographically secure nonce (number used once) that you
841must generate. The Google Play application returns this nonce with the transactions information
842contained in the <code>PURCHASE_STATE_CHANGED</code> broadcast intent so you can verify the
843integrity of the transaction information.</p>
844
845<p>The request returns a synchronous {@link android.os.Bundle} response, which contains two keys:
846<code>RESPONSE_CODE</code> and <code>REQUEST_ID</code>. The <code>RESPONSE_CODE</code> key provides
847you with the status of the request and the <code>REQUEST_ID</code> key provides you with a unique
848request identifier for the request.</p>
849
850<p>A <code>RESTORE_TRANSACTIONS</code> request also triggers two asynchronous responses (broadcast
851intents). First, the Google Play application sends a <code>RESPONSE_CODE</code> broadcast intent,
852which provides status and error information about the request. Next, if the request was successful,
853the Google Play application sends a <code>PURCHASE_STATE_CHANGED</code> broadcast intent. This
854message contains the detailed transaction information. The transaction information is contained in a
855signed JSON string (unencrypted). The message includes the signature so you can verify the integrity
856of the signed string.</p>
857
858<p class="note"><strong>Note:</strong> You should use the <code>RESTORE_TRANSACTIONS</code>
859request type only when your application is installed for the first time on a device or when your
860application has been removed from a device and reinstalled.</p>
861
862<h3>Other service tasks</h3>
863
864<p>You may also want your {@link android.app.Service} to receive intent messages from your {@link
865android.content.BroadcastReceiver}. You can use these intent messages to convey the information that
866was sent asynchronously from the Google Play application to your {@link
867android.content.BroadcastReceiver}. To see an example of how you can send and receive these intent
868messages, see the <code>BillingReceiver.java</code> and <code>BillingService.java</code> files in
869the sample application. You can use these samples as a basis for your own implementation. However,
870if you use any of the code from the sample application, be sure you follow the guidelines in <a
871href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p>
872
873<h2 id="billing-broadcast-receiver">Creating a BroadcastReceiver</h2>
874
875<p>The Google Play application uses broadcast intents to send asynchronous billing responses to
876your application. To receive these intent messages, you need to create a {@link
877android.content.BroadcastReceiver} that can handle the following intents:</p>
878
879<ul>
880  <li>com.android.vending.billing.RESPONSE_CODE
881  <p>This broadcast intent contains a Google Play response code, and is sent after you make an
882  in-app billing request. For more information about the response codes that are sent with this
883  response, see <a
884  href="{@docRoot}google/play/billing/v2/billing_reference.html#billing-codes">Google Play Response
885  Codes for In-app Billing</a>.</p>
886  </li>
887  <li>com.android.vending.billing.IN_APP_NOTIFY
888  <p>This response indicates that a purchase has changed state, which means a purchase succeeded,
889  was canceled, or was refunded. For more information about notification messages, see <a
890  href="{@docRoot}google/play/billing/v2/billing_reference.html#billing-intents">In-app Billing
891  Broadcast Intents</a></p>
892  </li>
893  <li>com.android.vending.billing.PURCHASE_STATE_CHANGED
894  <p>This broadcast intent contains detailed information about one or more transactions. For more
895  information about purchase state messages, see <a
896  href="{@docRoot}google/play/billing/v2/billing_reference.html#billing-intents">In-app Billing
897  Broadcast Intents</a></p>
898  </li>
899</ul>
900
901<p>Each of these broadcast intents provide intent extras, which your {@link
902android.content.BroadcastReceiver} must handle. The intent extras are listed in the following table
903(see table 1).</p>
904
905<p class="table-caption"><strong>Table 1.</strong> Description of broadcast intent extras that are
906sent in response to billing requests.</p>
907
908<table>
909
910<tr>
911<th>Intent</th>
912<th>Extra</th>
913<th>Description</th>
914</tr>
915<tr>
916  <td><code>com.android.vending.billing.RESPONSE_CODE</code></td>
917  <td><code>request_id</code></td>
918  <td>A <code>long</code> representing a request ID. A request ID identifies a specific billing
919  request and is returned by Google Play at the time a request is made.</td>
920</tr>
921<tr>
922  <td><code>com.android.vending.billing.RESPONSE_CODE</code></td>
923  <td><code>response_code</code></td>
924  <td>An <code>int</code> representing the actual Google Play server response code.</td>
925</tr>
926<tr>
927  <td><code>com.android.vending.billing.IN_APP_NOTIFY</code></td>
928  <td><code>notification_id</code></td>
929  <td>A <code>String</code> representing the notification ID for a given purchase state change.
930  Google Play notifies you when there is a purchase state change and the notification includes a
931  unique notification ID. To get the details of the purchase state change, you send the notification
932  ID with the <code>GET_PURCHASE_INFORMATION</code> request.</td>
933</tr>
934<tr>
935  <td><code>com.android.vending.billing.PURCHASE_STATE_CHANGED</code></td>
936  <td><code>inapp_signed_data</code></td>
937  <td>A <code>String</code> representing the signed JSON string. The JSON string contains
938  information about the billing transaction, such as order number, amount, and the item that was
939  purchased or refunded.</td>
940</tr>
941<tr>
942  <td><code>com.android.vending.billing.PURCHASE_STATE_CHANGED</code></td>
943  <td><code>inapp_signature</code></td>
944  <td>A <code>String</code> representing the signature of the JSON string.</td>
945</tr>
946</table>
947
948<p>The following code sample shows how to handle these broadcast intents and intent extras within a
949{@link android.content.BroadcastReceiver}. The BroadcastReceiver in this case is named
950<code>BillingReceiver</code>, just as it is in the sample application.</p>
951
952<pre>
953public class BillingReceiver extends BroadcastReceiver {
954
955  private static final String TAG = "BillingReceiver";
956
957  // Intent actions that we receive in the BillingReceiver from Google Play.
958  // These are defined by Google Play and cannot be changed.
959  // The sample application defines these in the Consts.java file.
960  public static final String ACTION_NOTIFY =
961      "com.android.vending.billing.IN_APP_NOTIFY";
962  public static final String ACTION_RESPONSE_CODE =
963      "com.android.vending.billing.RESPONSE_CODE";
964  public static final String ACTION_PURCHASE_STATE_CHANGED =
965      "com.android.vending.billing.PURCHASE_STATE_CHANGED";
966
967  // The intent extras that are passed in an intent from Google Play.
968  // These are defined by Google Play and cannot be changed.
969  // The sample application defines these in the Consts.java file.
970  public static final String NOTIFICATION_ID = "notification_id";
971  public static final String INAPP_SIGNED_DATA = "inapp_signed_data";
972  public static final String INAPP_SIGNATURE = "inapp_signature";
973  public static final String INAPP_REQUEST_ID = "request_id";
974  public static final String INAPP_RESPONSE_CODE = "response_code";
975
976
977  &#64;Override
978  public void onReceive(Context context, Intent intent) {
979    String action = intent.getAction();
980    if (ACTION_PURCHASE_STATE_CHANGED.equals(action)) {
981      String signedData = intent.getStringExtra(INAPP_SIGNED_DATA);
982      String signature = intent.getStringExtra(INAPP_SIGNATURE);
983      // Do something with the signedData and the signature.
984    } else if (ACTION_NOTIFY.equals(action)) {
985      String notifyId = intent.getStringExtra(NOTIFICATION_ID);
986      // Do something with the notifyId.
987    } else if (ACTION_RESPONSE_CODE.equals(action)) {
988      long requestId = intent.getLongExtra(INAPP_REQUEST_ID, -1);
989      int responseCodeIndex = intent.getIntExtra(INAPP_RESPONSE_CODE,
990        ResponseCode.RESULT_ERROR.ordinal());
991      // Do something with the requestId and the responseCodeIndex.
992    } else {
993      Log.w(TAG, "unexpected action: " + action);
994    }
995  }
996  // Perform other processing here, such as forwarding intent messages
997  // to your local service.
998}
999</pre>
1000
1001<p>In addition to receiving broadcast intents from the Google Play application, your {@link
1002android.content.BroadcastReceiver} must handle the information it received in the broadcast intents.
1003Usually, your {@link android.content.BroadcastReceiver} does this by sending the information to a
1004local service (discussed in the next section). The <code>BillingReceiver.java</code> file in the
1005sample application shows you how to do this. You can use this sample as a basis for your own {@link
1006android.content.BroadcastReceiver}. However, if you use any of the code from the sample application,
1007be sure you follow the guidelines that are discussed in <a
1008href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design </a>.</p>
1009
1010<h2 id="billing-security">Securing Your Application</h2>
1011
1012<p>To help ensure the integrity of the transaction information that is sent to your application,
1013Google Play signs the JSON string that is contained in the <code>PURCHASE_STATE_CHANGED</code>
1014broadcast intent. Google Play uses the private key that is associated with your publisher account
1015to create this signature. The Developer Console generates an RSA key pair for each publisher account.
1016You can find the public key portion of this key pair on your account's profile page. It is the same
1017public key that is used with Google Play licensing.</p>
1018
1019<p>When Google Play signs a billing response, it includes the signed JSON string (unencrypted)
1020and the signature. When your application receives this signed response you can use the public key
1021portion of your RSA key pair to verify the signature. By performing signature verification you can
1022help detect responses that have been tampered with or that have been spoofed. You can perform this
1023signature verification step in your application; however, if your application connects to a secure
1024remote server then we recommend that you perform the signature verification on that server.</p>
1025
1026<p>In-app billing also uses nonces (a random number used once) to help verify the integrity of the
1027purchase information that's returned from Google Play. Your application must generate a nonce and
1028send it with a <code>GET_PURCHASE_INFORMATION</code> request and a <code>RESTORE_TRANSACTIONS</code>
1029request. When Google Play receives the request, it adds the nonce to the JSON string that
1030contains the transaction information. The JSON string is then signed and returned to your
1031application. When your application receives the JSON string, you need to verify the nonce as well as
1032the signature of the JSON string.</p>
1033
1034<p>For more information about best practices for security and design, see <a
1035href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a>.</p>
1036
1037<h3 id="billing-signatures">Verifying signatures and nonces</h3>
1038
1039<p>Google Play's in-app billing service uses two mechanisms to help verify the integrity of the
1040transaction information you receive from Google Play: nonces and signatures. A nonce (number used
1041once) is a cryptographically secure number that your application generates and sends with every
1042<code>GET_PURCHASE_INFORMATION</code> and <code>RESTORE_TRANSACTIONS</code> request. The nonce is
1043returned with the <code>PURCHASE_STATE_CHANGED</code> broadcast intent, enabling you to verify that
1044any given <code>PURCHASE_STATE_CHANGED</code> response corresponds to an actual request that you
1045made. Every <code>PURCHASE_STATE_CHANGED</code> broadcast intent also includes a signed JSON string
1046and a signature, which you can use to verify the integrity of the response.</p>
1047
1048<p>Your application must provide a way to generate, manage, and verify nonces. The following sample
1049code shows some simple methods you can use to do this.</p>
1050
1051<pre>
1052  private static final SecureRandom RANDOM = new SecureRandom();
1053  private static HashSet&lt;Long&gt; sKnownNonces = new HashSet&lt;Long&gt;();
1054
1055  public static long generateNonce() {
1056    long nonce = RANDOM.nextLong();
1057    sKnownNonces.add(nonce);
1058    return nonce;
1059  }
1060
1061  public static void removeNonce(long nonce) {
1062    sKnownNonces.remove(nonce);
1063  }
1064
1065  public static boolean isNonceKnown(long nonce) {
1066    return sKnownNonces.contains(nonce);
1067  }
1068</pre>
1069
1070<p>Your application must also provide a way to verify the signatures that accompany every
1071<code>PURCHASE_STATE_CHANGED</code> broadcast intent. The <code>Security.java</code> file in the
1072sample application shows you how to do this. If you use this file as a basis for your own security
1073implementation, be sure to follow the guidelines in <a
1074href="{@docRoot}google/play/billing/billing_best_practices.html">Security and Design</a> and
1075obfuscate your code.</p>
1076
1077<p>You will need to use your Google Play public key to perform the signature verification. The
1078following procedure shows you how to retrieve Base64-encoded public key from the Google Play
1079Developer Console.</p>
1080
1081<ol>
1082  <li>Log in to your <a href="http://play.google.com/apps/publish">publisher account</a>.</li>
1083  <li>On the upper left part of the page, click <strong>All applications</strong> and then click
1084  the app name in the listing.</li>
1085  <li>Click <em>Services &amp; APIs</em> and find "Your License Key for this Application" on the page. </li>
1086  <li>Copy the app's public key.</li>
1087</ol>
1088
1089<p class="caution"><strong>Important</strong>: To keep your public key safe from malicious users and
1090hackers, do not embed your public key as an entire literal string. Instead, construct the string at
1091runtime from pieces or use bit manipulation (for example, XOR with some other string) to hide the
1092actual key. The key itself is not secret information, but you do not want to make it easy for a
1093hacker or malicious user to replace the public key with another key.</p>
1094
1095<div style="width:640px;">
1096<img src="{@docRoot}images/licensing_public_key.png" class="frame">
1097<p class="img-caption"><strong>Figure
10982.</strong> An app's license key is available from the Services &amp; APIs page in
1099the Developer Console.</p>
1100</div>
1101
1102
1103<h2 id="billing-implement">Modifying Your Application Code</h2>
1104
1105<p>After you finish adding in-app billing components to your project, you are ready to modify your
1106application's code. For a typical implementation, like the one that is demonstrated in the sample
1107application, this means you need to write code to do the following: </p>
1108
1109<ul>
1110  <li>Create a storage mechanism for storing users' purchase information.</li>
1111  <li>Create a user interface that lets users select items for purchase.</li>
1112</ul>
1113
1114<p>The sample code in <code>Dungeons.java</code> shows you how to do both of these tasks.</p>
1115
1116<h3>Creating a storage mechanism for storing purchase information</h3>
1117
1118<p>You must set up a database or some other mechanism for storing users' purchase information. The
1119sample application provides an example database (PurchaseDatabase.java); however, the example
1120database has been simplified for clarity and does not exhibit the security best practices that we
1121recommend. If you have a remote server, we recommend that you store purchase information on your
1122server instead of in a local database on a device. For more information about security best
1123practices, see <a href="{@docRoot}google/play/billing/billing_best_practices.html">Security and
1124Design</a>.</p>
1125
1126<p class="note"><strong>Note</strong>: If you store any purchase information on a device, be sure to
1127encrypt the data and use a device-specific encryption key. Also, if the purchase type for any of
1128your items is "unmanaged," we recommend that you back up the purchase information for these items to
1129a remote server or use Android's <a href="{@docRoot}guide/topics/data/backup.html">data
1130backup</a> framework to back up the purchase information. Backing up purchase information for
1131unmanaged items is important because unmanaged items cannot be restored by using the
1132<code>RESTORE_TRANSACTIONS</code> request type.</p>
1133
1134<h3>Creating a user interface for selecting items</h3>
1135
1136<p>You must provide users with a means for selecting items that they want to purchase. Google
1137Play provides the checkout user interface (which is where the user provides a form of payment and
1138approves the purchase), but your application must provide a control (widget) that invokes the
1139<code>sendBillingRequest()</code> method when a user selects an item for purchase.</p>
1140
1141<p>You can render the control and trigger the <code>sendBillingRequest()</code> method any way you
1142want. The sample application uses a spinner widget and a button to present items to a user and
1143trigger a billing request (see <code>Dungeons.java</code>). The user interface also shows a list of
1144recently purchased items.</p>
1145
1146