One of our apps on Android is currently quite vulnerable to IAP hacking. We want to avoid this as this will ruin some network-based systems and also harm our revenue.
We would like to know is there a way to validate the purchase receipt before we give him item. Thank you very much.
Also sorry for my extremely bad english, they may sound rude at some point(someone told me) but I am actually being very polite.:)
The way to do it is to use Purchase Status API
You will do the billing process on the client side, and once done, you will send the token to the server, and then, be able to check the status of a purchase.
If the status is what you expect, then you will enable or send the update to the user.
Related
I am implementing a small social networking website, and I am trying to implement notifications.
Notifications have the following requirements
All users will receive notifications whenever users they follow do
certain events (like a post, create a post,leave a comment, etc...
When a set of notifications for a user is unread, just like on facebook, the user will
continue to see a read notification icon on their navbar.
Problem : I am taking an example to describe my problem for better understanding for everyone.
Suppose there are two users A and B. A & B are friends and A post something, suddenly B like the post of A then A should have to receive the notification immediately.
So how can i achieve this immediately receiving of notification process?
Should i send a call to server on each millisecond to check whether there is any unread notification is available for A user ? In this case thousand millions of call creating for multiple user. It is feasible solution ?
(I think it create unnecessary load on my website. As i think facebook and stackoverflow do not use this way).
Provide me a suitable solution just like fb and other webiste using.
Technology Using in my project: Java and MYSQL
You should use JavaScript (client side) along with Java - MySql (Server side), and more specifically Ajax. You will need some time to understand the concept and the usage but it does exactly what you want.
To give more details, what you need is to create a partial view where the notifications will appear, and update this partial view async (with AJAX).
Dont reinvent the wheel.
Use ajax call to server at each interval and check your server and update nav acc.
1.So how can i achieve this immediately receiving of notification process?
2) Should i send a call to server on each millisecond to check whether there is any unread notification is available for A user ?
Your above both questions answers solve through GWTEventService implementation.
Through it you can write code that will avoid client to server round trip.
GWTEventService is an event-based client-server communication framework. It uses GWT-RPC and the Comet / server-push technique. The client side offers a high-level API with opportunities to register listeners to the server like to a GUI component. Events can be added to a context/domain on the server side and the listeners on the client side get informed about the incoming events. The server side is completely independent of the client implementation and is highly configurable. Domains can be defined to decide which events are important for the different contexts.
Refer link: https://code.google.com/p/gwteventservice/
I'm trying to find a java based API that wraps up the details of processing a credit card transaction or purchase via PayPal at a minimum, and other gateways as a plus in an IPN fashion (ie no products required, just an invoice amount)
As a bit of a simplification, I think I should be able to do something like the following pseudocode:
shoppingApi.postTransaction("paypal", amount, currency, invoiceId, purchaseDescription)
and later on during a scheduled task or on notification from an IPN url:
completedPayments = shoppingApi.getUnprocessedCompletedPayments();
for (Payment payment: completedPayments)
{
// my code to process a successful payment.
}
and then I'd process the purchases.
I know there's tons of shopping carts out there that do this, but from what I've seen, they all want you to put your products in their system, which doesn't work for me. My products are in a 3rd party system, and I just want to process a payment. That's all.
And no cart I know of exposes a simple API like the one I'm suggesting above. I don't care what payment type my users use, I just want to know if they completed it. I know that Shopify.com has a REST api that does something like this, but it's not IPN like (it wants your products in it's system).
Thanks in advance for any suggestions!
EDIT: I know of course that there'd be other statuses that I'd need to look at, like "pending", etc, but that'd simply be another simple API call, like shoppingApi.getPendingPayments(). If the API did the above 2 calls, I'd be pretty happy ;-)
EDIT 2: I'd prefer opensource, but am totally open to commercial if it's a flat fee, can be trialed to some extent, and is reasonably mature/respectable
EDIT 3 - MAJOR NOTE: I feel confident that such a library should exist. Whether or not it does is another question. So to be clear, I'd really like to see "yes, use this library" answers, not "NO", this can't be done, as I'm %99.999 sure it can be done ;-) Thanks in advance!
There's this site which could be used via jruby.
This may or may not come somewhere near meeting your requirements.
You can not get an API for payment gateway integration. You will have to write your own development for the processing with various payment gateways. For that you have to understand that which payment gateway gets which parameters and its requesting URL for requesting for the paymentgateway. You can get this information by varius payment gateway websites.
This url may helpful to you
For HDFC : http://www.hdfcbank.com/sme/sme-details?id=guzh6m0i
For Paypal : https://merchant.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=merchant/payment_gateway
Secure Pay : http://www.securepay.com.au/
techpro [ ICICI ] : http://forums.devarticles.com/asp-development-3/how-to-integrate-payseal-icici-payment-gateway-95329.html
Here you can also find the development APIs or the guidelines for the development that which parameters they will require for processing the requests.
Hope this may help you.
Enjoy !!!
I know only this product (commercial): IBM WebSphere Commerce Payment
There is a tutorial to integrate also with PayPal: Integration with PayPal
I dont know the license cost, you must contact IBM for this.
Java SDKs are available here -
https://www.x.com/developers/paypal/documentation-tools/paypal-sdk-index
All of them come with a nice handy example (check README.md files) which will get you started.
I would say it's better to write your own api, because anything related to payment and purchase processes will cost you money to get.
You need the following for your app to accomplish:
You need a server that will communicate with PayPal (or
DataTrans or any other payment systems)
You need a database to capture all the payments transferred:
That have been settled
That have been payed but the settlement is not received yet
That still need to be payed
Installments done, finished, or yet to be done
The server needs to be any web app (spring with hibernate etc)
that has some security (acegi, spring)
Every-time a user logs in and starts purchasing online you need to
do a call to PayPal and get the response in a callback to the
browser of the user
Every time you have a settlement you save the needed data in the DB like user-id purchase-method owner card-number invoice-id PayPal -token
I hope this helps
Though the thread is very old, I just wanted to add details of an API which I came across recently, that may match the requirements of the question. I hope this will help others who are looking for similar answers.
Try Shopizer. This API was build on Java, Spring, Hibernate, jQuery and elasticsearch.
I'm working on an app that requires users to register in order to use the features.
I need to ensure that users are who they say they are so I want to use some type of verification process, e.g. email or text verification.
The best solution would be to receive a text or email after registration with a code. This code can then be entered into the application to verify the login.
I know of GMailSender but that is as far as my knowledge would go for this type of situation.
I have no idea where to start with this and have researched a lot.
Any help would be great
Thanks :)
Manually entering a code received by email would be annoying for users and they are highly likely to abandon a process that forces this upon them. Also from experience, emails are so often caught in spam traps and not received.
You should make it as easy and non intrusive as possible.
e.g
Use the device's built in Google account to register with your server (after obtaining user permission of course).
On the server side perform the registration and return a code to the app.
Use the code returned by the server directly in the app to enable whatever features you see fit.
The above example would be a one click process and would require no manual code entry.
I have received a requirement to develop a feature to check if 2 email id's, logins or identities are socially connected. I hope to ask 2 users their facebook id, linkedin id (and in future may be more social networks). I then hope to use their facebook id's connect to facebook api's and determine if
Are these two connected socially, are they friends ?
Are these 2 connected through mutual friends
Do they have n levels of mutually connected friends ? (like in linkedin)
Similarly I hope to use linkedin api's to identify if they are socially connected and if not, how far they are.
My question is
I have been in a social project before and understand that facebook and linked in provide a lot of restrictions on their api's. Do you know of any that stand out very obviously from I need them to do for me ?
Are there any privacy/legal issues that I need to be aware of, in these scenarios. Will there be a issue if I were to let each of the users know that they are x networks away from each other ?
Will I be able to use the api's free or is there a particular paid service that these social networks offer ? I would be worried about costs when i deploy right ?
Edited
I put some questions on linkedin forums. This is the response I got
There is no extended information available via the API for developers of business accounts. The visibility is based on the user who has authenticated and what they can see in their network. The API is not designed for you to learn information about two users other than the one who has authenticated.
Seems fair from their stand point. Even a business account would not provide private information about 2 random people's "socially connected" information.
I think I need to explore the option of having my users login/connect to linkedIn and provide me with that information. Crazy as it sounds, I will explore this.
No they should both be free. Linked in has a ton of token requirements for pulling deep information. Be sure to read the linked in Docs pretty indepth. LinkedIn hates if your exporting any user data and will throw you under the bus in a minute if you attempt this. Also linked in's very limiting tword the # of calls you can make per account in an hour. SO be prepared for rate limiting.
A few months back I had contacted facebook, linkedin and google+ for a similar requirement. Seems that they dont appreciate scraping at all. I dont know if you intended to do that. They also mentioned that this information relates to peoples privacy, so they need to login to allow you to do that. Infact you need to be in their network to achieve something even close. You will also need a plugin/app to work along side with you, which will have other restrictions like # of requests per day/hour.
In short, you are requesting information from deep within their databases, they are not going to like it.
With some more research, its clear that without both users providing my app the authority to query on their behalf about the other user, I cannot get this working. Not even with business accounts with both linkedin and facebooks. The reason is obvious, privacy.
I'm new in development of applications for Android so I'm asking those questions for know which is better way to make RSS reader app. I have a server that downloads and stores on database news from Yahoo. On this database are stored title, content, publication date and link of news. Than I'm making HTTP POST to server to download news to Android. Data from server to android are passed in Json.
Can people, who already had developed an application like this, answer my questions?
Should I pass all list of news in one response to POST or it's better to make it's better to make several POSTs to get the same list? I'm asking this question because response from server may be too big and I don't know which is a better way to transmit it.
Comment system is the feature of my app. So need I to create a authentication system or it's possible to make it basing on ID of phone?
Another thing I need to do is to alert user when new news has appeared on server. I don't have idea how to do it with HTTP POST? Need I send to server list of nees that I have on Android?
Thank you for attention.
Here are the answers for your respective wuestions
1) This depends more on kind of UI you chose for your Android application. In my perspective you should go for multi-page (like prev-next links on bottom of screen) UI for your reader. And you should cache the results of previous page as well as next page in you app (so this also means to fetch selective results only) so that when user clicks on next/prev button the responsiveness of you application is good.
2) Ideally you app should ask for show a pop-up dialog asking to authenticate for commenting. You should use something like http://developer.android.com/reference/android/accounts/AccountManager.html to store these credentials so that from next time you do not ask the credentials again once authentication is successful.
3) In this case you should look at http://code.google.com/android/c2dm/
Polling is surely not the way to go :)
See it depends on how big your file is and more importantly how quickly do you need it.
More requests will certainly increase the latency. What generally you should go for is for one request.
But it again depends, I was once working on an android app and had the same problem. But in my case I split it into 2 requests. One so that I get initial data quickly and can disply to the user. Later with another request I can get the remaining data. So see wh1t suits you more.
Also how many requests will you have to make on an average in an hour. More polling will surely eat your battery a lot. If pushing can help you, try seeing if google's C2DM can be of any help.
For Rss parser ibm has an excellent link at http://www.ibm.com/developerworks/xml/tutorials/x-androidrss/index.html
POST vs GET - POST is meant to change state of server, whole GET is for reading results -
you should use GET to retrieve news, and POST to post comments
Use timastamp to retrieve news from some moment, update timestamp on the device
with latest received news timestamp - this will save traffic for your users and your server. First update will get everything ( you may also put a limiton amopunt of news retrieved in single batch )
everything based on something present on phone is not strong. however, you can use some kind of open id (there are a lot of providers, and most of your users will have google account) provider. In my highscore system I just hash incoming entries with some secret present in APK - this is not very secure, but data are not that valuable and there were no hack attepßts so far.
Every push alert requires active polling from device - also your application shall ask via get request something like "are there new entries since last timestamp" ( but if you already do this, you may as well just download them ) - the alert user via usual android means ( widget, status bar, vibration, playing starwars imperial march... )