Test Purchases and Security
ONE store supports the payment test of in-app products in a development environment (hereafter called “Sandbox”) or commercial billing environment (hereafter called the “commercial test”).
Sandbox is a virtual billing environment, not the commercial billing environment. If you choose a billing failure or success as you wish on the billing screen, Sandbox transfers the response relevant to your choice.
The commercial test will process the billing for in-app products in the commercial billing environment and transfer the billing result. If you pay in the commercial test environment and do not cancel the billing, charges may incur. You must cancel the billing after completing the billing test.
Cautions
All in-app products must be tested in Sandbox at least once. If there is even one in-app product that has not been tested, the Request for Review button will not be activated.
To perform test in the development and commercial environments, ONE store ID needs to be registered as a test ID in advance. Please be aware that if you perform the test with an unregistered ONE store ID, you will not be able to perform the test in Sandbox and the actual payment will be processed and charged in the commercial test environment.
ONE store is not liable for any payment made through the test ID. Please proceed with the management of the test ID and the billing test under the supervision of the manager of the developer.
In-App Payment Test Process
In-App Billing Test Pop-up
You are allowed to perform the test by clicking the "Billing Test" button on the "In-App", a submenu of the "Apps" menu of the Developer Center and by displaying the "In-App Billing Test" pop-up.
Register/Manage ONE store ID
To perform the commercial test, you are required to register a test account on the "Test ID mgmt." tab of the "In-App Billing Test" pop-up. The ONE store ID account can be registered as a ONE store user account (ID account). To this end, you are required to create a ONE store user account (ID member) in advance or already have the account (ID member). (supported ID types: ONE store, Naver, Facebook, Google IDs) The "In-App Billing Test" page pops up as seen below and the ONE store ID can be registered on the "Test ID mgmt." tab. The ONE store ID can be registered as either a Commercial ONE store ID or a Sandbox ONE store ID. (one ONE store ID cannot be registered simultaneously as a Commercial ONE store ID and a Sandbox ONE store ID.)
- Revise ONE store ID Test Environment
When it comes to revision of the registered ONE store ID, only the test environment (Sandbox or Commercial Test) can be changed.
Select a ONE store ID to be revised from the ONE store ID list, change the test environment, and then you must save the change by clicking the 'Save' button.
- Export Test IDs to Other Apps.
The list of ONE store IDs of the app which is currently under test can be exported to other apps owned by the logged-in account.
Only in the apps with IAP V5 (SDK V17.00.00 and above), the checkboxes are activated and can be selected (in the apps with IAP V4(SDK V16.03.00 and below) and without IAP V5, the checkboxes are deactivated).
The account can be exported by selecting the checkboxes and clicking the 'Export' button.
Perform Sandbox Test (required)
Test environment information (Whether Commercial or Sandbox) will remain in memory while connected to the ONE store service. So, if you've changed test environment of your test ID through the Developer Center, you must quit and restart your app.
After executing the apps that have been developed, proceed with the test by purchasing in-app products (the test is performed if a tester's test environment is Sandbox Test). For the in-app products that have been tested, the value of the 'Tested' field of the list of in-app products is changed from N→Y.
Before the test, the value of the 'Tested' field is N
After the test, the value of the 'Tested' field is Y.
Perform Commercial Test (optional)
After executing the apps that have been developed, proceed with the test by purchasing in-app products (the test is performed if a tester's test environment is Commercial Test). As for the in-app product which has been test-purchased, the purchase of the product must be cancelled.
Confirm Commercial Test Results
Payment history can be checked with Status, Date of test, and Condition (All, ONE store ID, In-App ID).
When it comes to checking ONE store ID, only the accounts registered as Sandbox Test account can be checked.
After checking the payment history, you can download the file in the excel form by clicking the 'Download search results' button.
After checking the payment history and if the payment status is success, the 'Cancel' button is activated and you can cancel the purchase.
Payment history can be checked with Status, Date of test, and Condition (All, ONE store ID, In-App ID).
When it comes to checking ONE store ID, only the accounts registered as Commercial Test account can be checked.
After checking the payment history, you can download the file in the excel form by clicking the 'Download search results' button.
After checking the payment history and if the payment status is success, the 'Cancel' button is activated and you can cancel the purchase.
Security & Authentication
- Security of In-App Purchases
For secure payment, ONE store's IAP V5 uses a signature validation method to check whether data is forged/falsified. Since mobile apps are exposed to many attacks, it is recommended to perform the signature verification on a developer's app or server in order to minimize such risk. The followings are additional preparations that need to be made by developers for a more secure IAP.
Use Developer's Server
To make it difficult to perform attacks using APK Reverse Engineering, ensure that the implementation code and public key is kept on the server and can be authenticated.
To save purchase information, it is recommended to check the permission to use items by using a developer's server storage rather than a storage of terminal.
Use Modified Code
The sample code provided by ONE store are open to numerous people, and therefore it is recommended to use the code after modification rather than to use the original one. If you use the same code, you will become vulnerable to attacks that much.
It is recommended to protect the code related to payment by using the code obfuscation tool such as Proguard.
It is not a safe method to enter the public key as a regular string in the app code. It is safe to make it less accessible to attackers by using XOR with other strings to prevent easy exposure.
Use the 'developerPayload' field upon Payment Request
Developers can put random information in the‘developerPayload’field upon payment request and receive it again at the time when the payment is completed. Verification of payment results can be made more secure by putting in this field additional security verification data combined with timestamp.
- How to Authenticate ONE store In-App Purchases
Preparation for Authentication The key algorithm for authentication uses the RSA method and the ‘SHA512withRSA’ as an algorithm for signature. You can check the issued signature verification key in 'Issue License Key'. The value of the signature verification key is stored appropriately and used depending on the location where authentication is performed such as terminal or server.
Signature Verification Sample Code The SDK provides the 'AppSecurity' utility class and can perform the signature verification by using the 'verifyPurchase' method. If developers want to perform the signature verification in person without using the SDK, they are required to directly
Last updated