Samsung Galaxy store - IAP support?

Question

question

Amar asked Nov 7, '16

Samsung Galaxy store - IAP support?

I am add support for Smasung Galaxy store, and one of the requirements to be on the galaxy store is to add Samsung OpenIAB through Samsung, or Unity's IAP plugin.

They both seem to do the job, of able to make a purchase. I issues I am running into is able to grant an Item on the PlayFab server once a purchase has been made through one of these systems. I could not find any documentation regarding receipt extraction or validation by using Unity or Samsung OpenIAB plugin.

I have looked into these posts:

- http://answers.unity3d.com/questions/1191677/getting-unity-iap-receipt-data-to-validate-with-pl.html

- https://github.com/Samsung-US-Developer-Support/Samsung-OpenIAB-Unity-Plugin

It is clear on how we can achieve this for Apple and Google Playstore, but with something like Samsung and OpenIAB, it is not clear on how to make a valid purchase without passing in a receipt?

I tried calling in the PurchaseItem to bypass sending receipt, with all the required parameters [ItemID, VirtualCurrency"RM",99($0.99),cataliogVer,storeID], once I get a Purchase success on the client, and this seems to fail on the server, and give me a error saying insufficient funds?

Question1: How can you make a purchase of an item, that is listed in the store for RealMoney, with out receipt validation?[in this case Samsung]

Question 2: Do you recommending, setting the RM price to zero, or set the price in a different currency and send that currency instead, to be able to make the purchase?

Question 3: Is ValidateGooglePlayPurchase & ValidateIOSReceipt the only ways to make a purchase of an item listed in "RM

Question 4: How and when do you add the localized currency values to the store items on the PlayFab Store? This seems like a tedious process? As mentioned in here "PlayFabStore":RealCurrencyPrices[GBP,EUR etc...] https://playfab.com/show-me-money-receipt-validation-ios-and-android/

TitleID: 93A3

CatalogID: catalog_0

StoreID: iap_store

ItemID:small_gem_bundle

Thanks,

-Amar

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2016-11-07T19:39:25Z

brendan answered Nov 7, '16

Purchases for real money must be integrated in PlayFab in some way, so that we can validate the purchase with the payment provider. That basically comes down to either receipt validation (the various mobile platforms and consoles) or else a cart-like process where a purchase gets set up in a payment provider, and the player then uses that provider's interface to make the payment. In all cases though, the integration on our side uses the exposed partner API calls they make available. Since Samsung's payments are completely distinct from Google Play or Amazon, it would need to be integrated on the service side for it to provide the same level of security.

So, short answer to Q1 is that we would need to integrate Samsung's store as a payment provider to enable this. That's not on our current schedule, as we've had very few requests for this (in truth, this is the first), though if this is a critical feature for you, we can discuss a custom development contract with you as a potential option.

For your other questions:

Q2: No, we would not recommend a 0 RM price. That would allow any hacker to easily get all items in your game for free.

Q3: You can currently make purchases for real money via Amazon, iTunes, and Google Play receipts, Xbox Live and Playstation Network entitlements, or using the StartPurchase flow with Steam, Facebook, PayPal, or Xsolla.

Q4: The RealCurrencyPrices is for cases where you want to specify an exact amount in that foreign currency. Receipt based purchases specify the currency and price used, while the StartPurchase process allows the payment provider to specify the currency and price used (without having to specify each in PlayFab).

1

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Amar commented · Nov 07, 2016 at 11:43 PM

Regarding SamsungIAP support:

- Unity supports Samsung IAP, and I am able to get a confirmation on the purchase, But it does not have any receipt, that I can send to the server.

Samsung also supports OpenIAB (Unity IAP might be a wrapper on this), looks like having PlayFab support open IAB, is going to open the gates for stores like Samsung, Apptoide and othet Android stores.

Regarding Q4:

If I have to support receipt based validation for various currencies, do I have to upload all the prices for all the possible currencies onto Playfab using Admin API? That seems to be not practical at all, looks like I am missing something here.

Now that brings me to the next question:

Question5:

-Unity supports Client side Receipt validation as well. How can I use play fab in conjunction with this? How can I make a purchase on the playfab for a item selling in RealMoney?

0 ·

Answer 2 · 2016-11-08T00:53:16Z

brendan answered Nov 8, '16

Correct - as I said, any payment provider would have to be directly integrated for it to work. Unity is not the payment provider in this case - Samsung is.

OpenIAB is also not a payment provider - it is (some would argue was, since active development halted on it quite some time ago) an open source library for doing payment validation with various providers.

Similarly UnityIAP is also not a payment provider. The reason I'm emphasizing this is because for payments to be secure in such a way that we can have confidence that players are only getting items they pay for (but are reliably getting the items they pay for) is if there is a single round-trip on the validation step - the client sends us some information which we validate with the payment provider, and then we add the appropriate item(s) to the player inventory before finally returning the information to the client.

For Samsung specifically, that means integration with the server-to-server verification process described in their FAQ, here: http://developer.samsung.com/iap. Please note that their description above, where the client validates the receipt, then the client gets the item, has the essential flaw that they've made the client authoritative for the decision-making about giving the item to the player. That's specifically what we designed our system to prevent, since it's one of the most commonly hacked features of any game. If you do a search, you'll find many instances of developers talking about a bogus "Cut the Rope 2" receipt that's used in a common hack to get free IAP items in many games that don't use a secure model (no offense to ZeptoLab - their game is fantastic, it's just that someone chose to use one of their receipts in a hack that then spread).

For Q4, no, we recommend having a price in RM in your game catalog, but the actual price things are sold for in receipt-based systems is completely out of our hands - it's the platform that sells the item. That's why the receipt validation API calls take a currency code and price, so that you can specify them there.

For Q5, we do not support client-side receipt validation, for the reasons stated above. It is insecure, and effectively guarantees that you will have people getting in-app purchase items without paying for them.

4

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Amar commented · Nov 08, 2016 at 11:57 PM

Thanks Brendan, That is helpful. It looks like I will have to wait until the integration is done on the PlayFab sever for it to be able to do a validation with Samsung. While this can start to shapeup, I will have to find a temporary situation where I trust the client.

I do not have enough time to wait for the receipt validation with Samsung servers to be implemented, but like to be kept in loop and notified once this in on its way to be used effectively.

Not sure how the IAP work on Tizen yet, but that is being supported by Unity as well. For all this it looks like looks like there has to be some way to be able to validate and make a secure transaction.

Question: Is there some kind of feature switch we can turn it on, where all the payload days between the client and server is send as encrypted? Or is this already happening?

-Amar

0 ·

brendan Amar commented · Nov 09, 2016 at 12:45 AM

Since this is the first time we've heard this request, please be aware that it may be quite some time before we add this to the schedule. That said, we have a backlog item for it now, so when we do get this added, we'll be sure to notify you.

All API calls to PlayFab are SSL secured, so yes, the packets are encrypted. We do not provide additional encryption within the packet currently, as it would add computation time (slowing responses slightly, and adding cost) while adding little to the overall security. Since the data being encrypted is coming from the local device, it's already available to a hacker, in that part of the client code.

0 ·

Amar commented · Nov 10, 2016 at 10:28 PM

One more followup on the same topic of IAP:

I see that Unicorn Battle example seems to be using OpenIAB, does this example use Open IAB to validate IPA receipts with only Apple an google play? Does this example work with other clients?

0 ·

brendan Amar commented · Nov 11, 2016 at 01:00 AM

Again, OpenIAB is not a payment provider - it is a client-side library for payment validation with providers. We use it to retrieve the receipt for purchases, in order to pass them to the appropriate PlayFab receipt validation API calls. For any payment provider, there must be a backend integration for it to work in the way I described above - a single-loop request which does all the validation steps and adds the item(s) to the player inventory, so that players can only get items they pay for.

0 ·

Answer 3 · 2016-11-17T02:28:54Z

Amar answered Nov 17, '16

Hi Brandan,

Just received and update from the Unity team, and they say "Samsung provides receipt information suitable for Remote Validation."

Local Validation would require additional cryptographic data to be included in transactions from Samsung.

Still, I'll call what we receive a "receipt" for convenience's sake: a "purchaseId". We also receive a "paymentId" which is what we map to "transactionId". We pack the "purchaseId" into the Unity IAP receipt field as a trivial JSON string.

You may already know how to access the Unity IAP receipt field, from your earlier work. After successful purchase, in the app's ProcessPurchase(Purchasing.PurchaseEventArgs e) implementation, the receipt will be available in e.purchasedProduct.receipt. This string is packed up by Unity IAP to contain each App Store's various receipt fields. As suggested above, this string should look something like: {"purchaseId":"d215d9abcd17b12578a21c0ea7d8821747b64939732a3243b538d8bcae245590"}.

The Remote Validation server-to-server API for validating this receipt is described in the Samsung IAP Programming Guide "ProgrammingGuide_SamsungInAppPurchaseSDK_v4.0.0.pdf" document: http://developer.samsung.com/iap/guide E.g. call https://iap.samsungapps.com/iap/appsItemVerifyIAPReceipt.as?protocolVersion=2.0&purchaseID=d 215d9abcd17b12578a21c0ea7d8821747b64939732a3243b538d8bcae245590 and parse the response.

It looks like a simple rest call, to the Samsung server. I know that you have mentioned that we are probably the first game team to request Samsung verification, how hard and time consuming would it be to add support for this feature on PlayFab? - This could be used by other games as well, in the future, as clearly Unity has made it official to support Samsung IAP.

Thanks-

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 4 · 2016-11-17T05:29:57Z

brendan answered Nov 17, '16

Yes, if they didn't provide enough information for it to be used for validation, it wouldn't have any use as a payment system whatsoever. However, for it to be integrated into our service as a payment provider is a very non-trivial amount of work. It's not just the implementation - which is not just a single Web API call, as we must integrate it as part of an end-to-end payment system - it's also all the test time required to ensure that the implementation is correct and has no holes. I'm sorry, but given that we have many other features that have much higher numbers of developers asking for them, we cannot "jump the queue" with this particular feature. If more developers come to us asking for this feature, that could change its priority, but to date, we have had only the one request for it.

Now that said, there's nothing stopping you from implementing receipt validation the way they're recommending - you could call their service to validate the receipt, and then call into our service to grant the items purchased. Because this would not be using our end-to-end purchase system, it would be vulnerable to cheating by a hacked client, as is the case with a large number of games which do client-side receipt validation, but it is at least an option which is available to you.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question

Samsung Galaxy store - IAP support?

4 Answers

Write an Answer

Navigation

Spaces

question details