Monday, April 3, 2017

The saga continues

Remember, some time ago Google has removed the order amount in USD from their Merchant Console? Ever since, I've used the earnings report at the end of each month to capture that data item.

Two months in, starting with the March 2017 earnings report, that's not an option, either. The order amount is there, so is the transaction fee, but the order ID isn't.

At least the support representative seemed to agree that it was a bug.

UPDATE: they've fixed it without any announcements.

Monday, February 6, 2017

Defeating the IAP emulator

A few posts ago, I've mentioned a certain Android app that emulates valid in-app purchases on rooted Android devices. I also mentioned that this app goes as far as shorting out the digital signature check code, so that apps that do due diligence and check the IAP signature against the Google public key are fooled, too.

I've been suspecting all along that the emulator does this by tapping into the Android system library, so that the built-in signature check function returns true regardless. That seems to be the case. The emulator struck again, but this time, my app had two signature checks - the system one and a homegrown one. And the latter one was the one that correctly reported a signature mismatch.

Normally, I'd be the first one to recommend against reimplementing crypto primitives. But in this case, I do feel it's justified. Here's the code. SHA1 hashing is system provided, but the RSA signature check bits are custom. The function and its parameters are deliberately called vague names, just in case the pirate crowd goes through the trouble of introducing special-case processing for my case.

Friday, January 27, 2017

Meet the new boss, same as old boss

Google is full of surprises, aren't they?

Less than three months after they've unveiled the new, redesigned Payments Center, they've discontinued it and moved the functionality to the Play developer console. And it's not like they've moved the same pages to a different host; this is a redesign, both the internals and the UI are noticeably different, with some functionality removed, and some new bugs introduced.

On the brighter side, the new UI is more scrape friendly. It's still JavaScript-driven, with explicit protection against HTTP-only scraping. On the other hand, there's a very straightforward AJAX call that returns JSON with almost all I need to capture the order activity.

There's a glaring exception though. The November 2016 version of the Payments Center would expose a crucial number - estimated revenue in USD (more generally, the payout currency). Not anymore. Unless the order was in USD to begin with, there's no way of knowing what's my take until the end of the month.