As your app grows in popularity, it can also attract the unwanted attention of malicious users that might want to abuse your app. This topic describes recommendations that you should use to help prevent these attacks on your billing integration and decrease the impact of abuse in your app.

Move sensitive logic to your backend

As much as your app design permits, move sensitive data and logic to a backend server that you control. The more data and logic you have in a frontend device, the more vulnerable it is to being modified or tampered with.

For example, an online chess game should validate all moves in the backend instead of trusting that the frontend always sends legal moves.

Furthermore, if you find vulnerabilities or security issues, depending on your system design, it might be easier to debug, fix, and roll out updates on the backend rather than the frontend.

Verify purchases before granting entitlements

A special case of sensitive data and logic that should be handled in the backend is purchase verification. After a user has made a purchase, you should do the following:

Send the corresponding purchaseToken to your backend. This means that you should maintain a record of all purchaseToken values for all purchases. Verify that the purchaseToken value for the current purchase does not match any previous purchaseToken values. purchaseToken is globally unique, so you can safely use this value as a primary key in your database. Use the Purchases.products:get or Purchases.subscriptions:get endpoints in the Google Play Developer API to verify with Google that the purchase is legitimate. If the purchase is legitimate and has not been used in the past, you can then safely grant entitlement to the in-app item or subscription. For subscriptions, when linkedPurchaseToken is set in Purchases.subscriptions:get , you should also remove the linkedPurchaseToken from your database and revoke the entitlement that is granted to the linkedPurchaseToken to ensure that multiple users are not entitled for the same purchase.

Note: Do not use orderId to check for duplicate purchases or as a primary key in your database, as not all purchases are guaranteed to generate an orderId . In particular, purchases made with promo codes do not generate an orderId .

Protecting your unlocked content

To prevent malicious users from redistributing your unlocked content, do not bundle it in your APK file. Instead, do one of the following:

Use a real-time service to deliver your content, such as a content feed. Delivering content through a real-time service also enables you to keep your content fresh.

Use a remote server to deliver your content.

When you deliver content from a remote server or a real-time service, you can store the unlocked content in device memory or store it on the device's SD card. If you store content on an SD card, be sure to encrypt the content and use a device-specific encryption key.

Detect and handle voided purchases

Voided purchases are purchases that have been canceled, revoked, or charged back. If a voided purchase had previously granted in-app items or other content to a user, you can use the Voided Purchases API to obtain the reason the purchase was voided along with any associated content that you can claw back.

Note: Voided purchases without any associated clawback content are not exposed by the Voided Purchases API.

Purchases for in-app items and subscriptions can be voided for a variety of reasons, including the following:

A purchase is canceled, either by the user, by the developer, or by Google. For subscriptions, note that this refers to canceling the purchase of a subscription, rather than canceling the subscription itself.

A purchase is charged back.

The app developer cancels or refunds a user order and checks the "revoke" option in the console.

Based on the reason for the voided purchase, and taking previous user behavioral data into account, you can decide on a course of action. We recommend implementing one or more of the following:

Perform clawbacks: When a purchase is voided, you can claw back unused items as if they were never purchased. For example, if an in-game currency purchase was voided, you could claw back currency that was already granted to the user. In the case where the user has already spent the currency, consider setting the currency balance to negative and limiting app activity and future purchases until the currency balance is positive.

When a purchase is voided, you can claw back unused items as if they were never purchased. For example, if an in-game currency purchase was voided, you could claw back currency that was already granted to the user. In the case where the user has already spent the currency, consider setting the currency balance to negative and limiting app activity and future purchases until the currency balance is positive. Multiple strikes implementation: Consider taking less drastic actions for first-time offenders, such as displaying in-app warnings. For repeat offenders, consider more severe measures.

Consider taking less drastic actions for first-time offenders, such as displaying in-app warnings. For repeat offenders, consider more severe measures. Temporarily disable purchases: Similar to the multiple strikes implementation, consider disabling purchases for users with voided purchases until you can more thoroughly investigate why the purchases were voided.

Similar to the multiple strikes implementation, consider disabling purchases for users with voided purchases until you can more thoroughly investigate why the purchases were voided. Temporarily or permanently disallow access to your app: For extreme cases with repeated malicious activity, consider disallowing access to your app, either temporarily or permanently.

For extreme cases with repeated malicious activity, consider disallowing access to your app, either temporarily or permanently. Make frequent calls to the Voided Purchases API: When you detect one or more voided purchases, consider making more frequent calls to the Voided Purchases API to claw back purchases before the user can consume them. You can find more information on Voided Purchases API quotas in the Voided Purchases API documentation.

Help Google detect fraud before it happens

Some types of fraud are related to malicious users who create multiple Google and in-app accounts to hide their activity.

Use the setObfuscatedAccountId and setObfuscatedProfileId methods in the builder for BillingFlowParams to help Google map Google accounts to in-app accounts.

Google uses this data to detect suspicious behavior and block some types of fraudulent transactions before they are completed.

Taking action against trademark and copyright infringement

If you are using a remote server to deliver or manage content, have your app verify the purchase state of the unlocked content whenever a user accesses the content. This allows you to revoke use when necessary and minimize piracy. If you see your content being redistributed on Google Play, be sure to act quickly and decisively. For more details, see the Frequently Asked Copyright Questions page in the Copyright Help Center.