Test & Security
Overview
ONE store supports the billing test for in-app product in the development environment (hereafter Sandbox) or in the commercial billing environment (hereafter commercial test).
Sandbox is not the commercial billing environment but the virtual one. If you select the response you want either billing failure or billing success on the billing screen, Sandbox will send the corresponding response result.
The commercial test performs the billing of the corresponding in-app product in the commercial billing environment and sends the billing result.
If the billing is not cancelled in the commercial test environment, it could lead to a charge, and therefore the billing must be cancelled after the billing test.
주의사항
All in-app products must be tested at least once in Sandbox. If there is even one in-app which has not been tested, then the ‘Request for Review’ button will not be activated.
To perform test in the development and commercial environments, ONE store ID must be registered as test ID prior to the test. Note that if you conduct the test with ONE store ID, which has not been registered as test ID, the test in Sandbox will not be available, and in the commercial test environment, the actual commercial billing, not the test commercial billing, will be performed, thereby leading to a charge.
ONE store shall not be liable for any payments made by the test ID. The test ID management and billing test must be performed under the supervision of the person in charge in the developer.
In-App Billing Test Process
In-App Billing Test Screen
If you click on the ‘Billing Test’ button on the ‘Developer Center > Apps > Select In-Apps >In-App Information’ screen, then the in-app billing test screen will be provided.
You can manage test ID or search the billing test result in the in-app billing test screen.
Register/Manage Test ID
You must register test ID to perform the in-app billing test in the development and commercial environments.
If you select the ‘Test ID mgmt.’ tab on the in-app billing test screen, you will be moved to the test ID management screen.
The test ID is the same as ONE store ID, and you can register the test ID after checking if you have the ID registered on ONE store.
If you are not registered as ONE store member, run ONE store app and generate ONE store ID for test and then register this ID as test ID.
Refer to ‘Generate ONE store ID’ below on how to generate ONE store ID.
- Generate ONE store ID
Install & execute ONE store app
Sign up to ONE store
If you are a new member, you can sign up to ONE store with your social accounts, including facebook and Google.
Consent to ONE store terms and conditions
The red dotted line indicates the required terms to which you MUST consent to use ONE store.
ONE store terms and conditions
Terms and conditions of electronic financial transactions
Terms and conditions of collection and use of personal information
Terms and conditions of provision of personal information to a third party
The blue dotted line indicates the optional terms and conditions to use additional functions when you use ONE store.
Terms and conditions of consent to acceptance of benefits notifications
Terms and conditions of collection and use of personal information for provision of customized benefits
Terms and conditions of consent to utilize app usage information for provision of customized benefits
If you tick the boxes to give consent to the terms using the information and click on the ‘Sign up’ button within the red solid line at the bottom right, you will be moved to the next stage.
Select age group
- Register test ID
Search ONE store ID to be used as test ID.
After checking ONE store ID, select the billing environment (Sandbox or commercial test) to perform the billing test with this test ID.
Enter references, if necessary, and register the test ID by clicking on the registration button.
You can select only one test ID for one billing environment, and you can change the billing environment settings at any time.
With the registered test ID, you can set up the environment in which you will perform the billing test.
When you change the test ID billing environment, you must click on the ‘Save’ button to save the new settings.
- Delete test ID (individual, batch deletion)
If the test ID is not valid anymore, you can remove it.
You can delete the test IDs individually by clicking on the “Remove” button, or you can remove them in a batch after ticking the multiple test IDs and clicking on the ‘Delete the selected test IDs’ button.
- Export test IDs to other apps.
If you use the same test ID in common for multiple apps, you can export the test ID to other apps.
The check box will be activated only for the apps, which can be exported. Select the apps to which the test IDs will be exported and then click on the ‘Export’ button.
Note
If the binary (apk) is not registered in the targeted app, only the test ID set to Sandbox will be exported.
Billing Test in Sandbox environment (required)
Sandbox is not the commercial billing environment but the virtual one. If you select the response you want either billing failure or billing success on the billing screen, Sandbox will send the corresponding response result.
You can search the history of the billing made in Sandbox at the ‘Sandbox’ tab of the in-app billing test screen, and the billing cancellation is also available.
All in-app products must be tested at least once in Sandbox. If there is even one in-app, which has not been tested, then the ‘Request for Review’ button will not be activated.
The information on the test environment (commercial & Sandbox) will be maintained in the memory while being connected to OSS. If you have changed the test environment of the test ID through Developer Center, you must shut down and re-start the app.
참고사항
Sandbox billing test is available only when the test ID is set to Sandbox.
For the in-app on which the Sandbox billing test has not been performed, the test value of the in-app will be set to ‘N’. If the test is performed, the value will change to ‘Y’.
Billing Test in Commercial Environment (optional)
The commercial test performs the billing of the corresponding in-app in the commercial billing environment and sends the billing result.
You can search the history of the billing made in the commercial test at the ‘Commercial Test’ tab of the in-app billing test screen, and the billing cancellation is also available.
Unless the billing is cancelled in the commercial test environment, it might lead to a charge, therefore the billing must be cancelled after the billing test.
In case of in-app products registered, payment can be made in commercial environment only if you register with the commercial test ID.
참고사항
The billing test is available only when the test ID is set to the commercial test in the commercial test environment.
Note that if the billing is made either with the test ID that has not been set to the commercial test, or with ONE store ID that has not been registered as the test ID, the actual commercial billing instead of the test billing will be made, thereby leading to a charge. If the actual commercial billing has been made, immediately send the billing details to ONE store and request the billing cancellation.
Check In-App Billing Test Result & Cancel Billing
You can check the billing status of the in-app billing test history and cancel the billing.
You can search the history of the billing made in Sandbox at the ‘Sandbox’ tab, and the history of the billing made in the commercial test at the ‘Commercial Test’ tab of the in-app billing test screen.
Security & Authentication
- Security of In-App Purchase (IAP)
ONE store IAP uses the method of checking the signature’s validity for safe billing by confirming whether data is forged or falsified. Mobile apps are exposed to the threat of multiple attacks, and therefore it is recommended to perform signature authentication in the developer’s app or server to minimize such a risk. The following indicates what the developer needs to prepare additionally for safer IAP.
Use the developer’s server
To disturb the attacks using APK Reverse Engineering, etc., store the implementation code and public key, etc. in the server, and perform authentication.
In addition, when you store the purchase information, it is better to use the developer server’s storage rather than the terminal’s storage and then to confirm the permission to use the item.
Use the changed code
The sample code provided by ONE store is open to many people, and therefore it is recommended to revise the code before using it instead of using the original one. If you use the same code, you might be easily exposed to the attacks as much
It is better to protect the code related to the billing by using code obfuscation tools, including Proguard.
Even the public key, it is not a safe way to put a plain string inside the app code. It is safe to prevent easy exposure by XORing with other strings to block the attackers from easy access.
Use the ‘developerPayload’ field at the request of billing
You can make the review on the billing result more secure by putting additional data for security review, including timestamp, into this field.
- How to authenticate ONE store IAP
Prepare authentication
Use the RSA approach for the key algorithms for authentication, and use ‘SHA512withRSA’ as the algorithm for signature.
For the signature verification key, refer to ‘Check License Key (public key) & OAuth Credentials’ in the Pre-preparations page
Store and use the value of signature verification key appropriately depending on where the authentication is performed, such as the terminal or server.
Signature authentication sample code
SDK provides the 'AppSecurity' utility class and you can perform the signature authentication by using the 'verifyPurchase' method.
If the developer wants to directly perform the signature authentication without using the SDK, he/she is required to implement the code in person that performs the same function as 'AppSecurity'.
For details about the implementation, refer to the sample distributed with the SDK library.
Last updated