Test Purchases and Security

Overview

ONE store supports the payment test of in-app products in a development environment (hereafter called 'Sandbox') or commercial billing environment (hereafter called the 'commercial test'). Sandbox is a virtual billing environment, not the commercial billing environment. If you choose a billing failure or success as you wish on the billing screen, Sandbox transfers the response relevant to your choice. The commercial test will process the billing for in-app products in the commercial billing environment and transfer the billing result. If you pay in the commercial test environment and do not cancel the billing, charges may incur. You must cancel the billing after completing the billing test.

  • All in-app products must be tested in Sandbox at least once. If there is even one in-app product that has not been tested, the Request for Review button will not be activated.

  • To perform a test in the Sandbox and commercial environments, ONE store ID must be registered as a test ID in advance. Please be aware that if you perform the test with an unregistered ONE store ID, you will not be able to perform the test in Sandbox and the actual payment will be processed and charged in the commercial test environment.

  • ONE store is not liable for any payment made through the test ID. Please proceed with the management of the test ID and the billing test under the supervision of the manager of the developer.

IAP Test Process

IAP Test Screen

If you click on the Billing Test button on the Developer Center > Apps > Select In-Apps > In-App Information screen, then the in-app billing test screen will be provided. You can manage the test ID or search for the billing test result in the in-app billing test screen.

Register/Manage Test ID

You must register a test ID to perform the in-app billing test in the development and commercial environments. If you select the 'Test ID mgmt.' tab on the in-app billing test screen, you will be moved to the test ID management screen. The test ID is the same as ONE store ID, and you can register the test ID after checking if you have the ID registered on ONE store. If you are not registered as a ONE store member, run the ONE store app and generate a ONE store ID for the test and then register this ID as the test ID. Refer to 'Generate ONE store ID' below on how to generate ONE store ID.

  • Generate a ONE store ID

  • Create an account If you are a new member, you can sign up for ONE store with social media accounts, including NAVER, Facebook and Google.

  • Agree to the ONE store Terms and Conditions If you sign up with the social account you want, you must give consent to the Terms and Conditions to use ONE store.

  • The red dotted line indicates the required terms to which you MUST consent to use ONE store.

    • ONE store Terms and Conditions

    • Terms and Conditions of Electronic Financial Transactions

    • Terms and Conditions of Collection and Use of Personal Information

    • Terms and Conditions of Provision of Personal Information to a Third Party

  • The blue dotted line indicates the optional terms to use additional functions on ONE store.

    • Terms and Conditions of Consent to Acceptance of Benefits Notifications

    • Terms and Conditions of Collection and Use of Personal Information for Provision of Customized Benefits

    • Terms and Conditions of Consent to Utilize App Usage Information for Provision of Customized Benefits

  • Once you have ticked the boxes to give consent to the terms, click on the Sign Up button on the bottom right to proceed to the next step.

  • Select age group If you are under 14 years old, click on the white button on the left. If you are over 14 years old, click on the red button on the right.

  • Register test ID

    • Search for the ONE store ID to be used as a test ID.

    • After checking the ONE store ID, select the billing environment (Sandbox or commercial test) to perform the billing test with this test ID.

    • Enter references, if necessary, and register the test ID by clicking on the registration button.

      Only one test ID can be selected for a billing environment. The billing environment settings can be changed at any time.

    • With the registered test ID, you can set up the environment in which you will perform the billing test.

    • When you change the test ID billing environment, you must click on the 'Save' button to save the new settings.

  • Delete test ID

    • If the test ID is no longer valid, you can remove it.

    • You can delete the test IDs individually by clicking on the Remove button, or you can remove them in a batch after ticking the multiple test IDs and clicking on the Delete the Selected Test IDs button.

  • Export test ID

    • If you use the same test ID in common for multiple apps, you can export the test ID to other apps.

    • The check box will be activated only for the apps, which can be exported. Select the apps to which the test IDs will be exported and then click on the 'Export' button

Payment Test in the Sandbox Environment (required)

Sandbox Testing for Payment and Validation

Sandbox is a virtual billing environment (not a commercial billing environment). If you select the desired response from the billing screen that shows the billing failure or success, you will receive the response results. You can search the history of the billing made in Sandbox at the 'Sandbox' tab of the in-app billing test screen, and the billing cancellation is also available. Initially, all in-app products must be tested at least once in Sandbox, and if there is even one in-app product that has not been tested, the verification request button will not be activated.

The information on the test environment (commercial & Sandbox) will be maintained in the memory while being connected to OSS. If you have changed the test environment of the test ID through the Developer Center, you must restart the app.

  • Sandbox billing test is only available when the test ID is set to Sandbox.

  • For the in-app on which the Sandbox billing test has not been performed, the test value of the in-app will be set to 'N'. If the test is performed, the value will change to 'Y'.

Sandbox Testing for Subscription Products

If the payment cycle is set to match the actual time when developing subscription products, the test requires too much time. Therefore, in the sandbox environment, we facilitate smoother testing by adjusting the time required for each subscription cycle. The time flow within Sandbox for each billing cycle and function is as follows:

Billing Test in Commercial Environment (optional)

The commercial test performs the billing of the corresponding in-app in the commercial billing environment and sends the billing result. You can search the history of the billing made in the commercial test at the Commercial Test tab of the in-app billing test screen, and the billing cancellation is also available. Unless the billing is canceled in the commercial test environment, it might lead to a charge, therefore the billing must be canceled after the billing test.

  • The billing test is available only when the test ID is set to the commercial test in the commercial test environment.

  • If a test is conducted using a ONE store ID that has not been registered as test ID, the test in Sandbox will not be available. In the commercial test environment, the billing will be performed officially, as not as a test, thereby leading to a charge. If the actual commercial billing has been made, immediately send the billing details to ONE store and request the billing cancellation.

Check In-App Billing Test Result and Cancel Billing

You can check the billing status of the in-app billing test history and cancel the billing. You can search the history of the billing made in Sandbox at the 'Sandbox' tab, and the history of the billing made in the commercial test at the 'Commercial Test' tab of the in-app billing test screen.

Sandbox environment

  • Provides the history of the billing tested in the Sandbox environment.

  • You can search the paid in-app information and billing status, or cancel the billing.

Commercial test environment

  • Provides the history of the billing tested in the commercial test environment.

  • You can search the paid in-app information and billing status, or cancel the billing.

Security and Authentication

  • Security of In-App Purchase (IAP)

    • The ONE store IAP uses a method of checking the signature's validity for safe billing by confirming whether data has been forged or falsified.Mobile apps are exposed to the threat of multiple attacks, and therefore it is recommended to perform signature authentication in the developer's app or server to minimize such a risk.The following indicates what the developer must prepare additionally for safer IAP.

    • Using the developer's server

      • To prevent attacks using APK Reverse Engineering, etc., store the implementation code and public key, etc. in the server, and perform authentication.

      • In addition, when you store the purchase information, it is better to use the developer server's storage rather than the terminal's storage and then to confirm the permission to use the item.

    • Using a modified code

      • The sample code provided by ONE store is open to many people, and therefore it is recommended to revise the code before using it instead of using the original one. Using the original code may lead to exposure issues or attacks.

      • It is better to protect the code related to the billing by using code obfuscation tools, including Proguard.

      • Even with the public key, it is not a safe way to put a plain string inside the app code. It is safe to prevent easy exposure by XORing with other strings to block the attackers from easy access.

    • Using the 'developerPayload' field at the request of billing

      • Developers can put random information in the'developerPayload'field upon payment request and receive it again at the time when the payment is completed.Verification of payment results can be made more secure by putting in this field additional security verification data combined with timestamp.

  • How to authenticate ONE store IAP

    • Prepare authentication

      • Use the RSA approach for the key algorithms for authentication, and use 'SHA512withRSA' as the algorithm for signature. For the signature verification key, refer to 'Check License Key (public key) & OAuth Credentials' in the Pre-Preparations page. Store and use the signature verification key appropriately depending on where the authentication is performed, such as the terminal or server.

    • Signature authentication sample code

      • SDK provides the 'AppSecurity' utility class and you can perform the signature authentication by using the 'verifyPurchase' method. If the developer wants to directly perform the signature authentication without using the SDK, he/she is required to implement the code in person that performs the same function as 'AppSecurity'. For details about the implementation, refer to the sample distributed with the SDK library.

Last updated