Last time I've revisited Google Play order processing, there was a 6 hour gap between order submission and the card being charged. The delay was artificial, naturally. I'm not exactly sure what was the reasons for such a design, probably, that was an allowance for return and refund; if the customer's remorse kicks in before the card is charged, Google doesn't have to pay the card transaction fee.
Effective July 2017, the gap is no longer on the order of hours; now it's 5-7 minutes.
Sunday, December 31, 2017
Friday, December 15, 2017
Team Foundation Server schema
UPDATE: some more on the TFS schema here and here. On the recent developments: here.
I happen to run an on-premises instance of Microsoft Team Foundation Server for a medium sized software shop. TFS has pretty good reporting capabilities, but out of the box, almost no cross-collection reporting. Fortunately, those who are blessed with admin rights in TFS get to connect to the production database server.
I happen to run an on-premises instance of Microsoft Team Foundation Server for a medium sized software shop. TFS has pretty good reporting capabilities, but out of the box, almost no cross-collection reporting. Fortunately, those who are blessed with admin rights in TFS get to connect to the production database server.
Friday, December 1, 2017
Thursday, November 2, 2017
Abusing COM for tightly coupled process interaction
Twice in my career, I had to deal with unreliable third party algorithm libraries in a server situation. There's a service type program that follows a general request/response pattern. Processing a request involves calling a third party library that I don't control and that crashes far too often for comfort. The service must survive the crash, log it, and emit an error response.
Monday, April 3, 2017
The saga continues
Remember, some time ago Google has removed the order amount in USD from their Merchant Console? Ever since, I've used the earnings report at the end of each month to capture that data item.
Two months in, starting with the March 2017 earnings report, that's not an option, either. The order amount is there, so is the transaction fee, but the order ID isn't.
At least the support representative seemed to agree that it was a bug.
UPDATE: they've fixed it without any announcements.
Two months in, starting with the March 2017 earnings report, that's not an option, either. The order amount is there, so is the transaction fee, but the order ID isn't.
At least the support representative seemed to agree that it was a bug.
UPDATE: they've fixed it without any announcements.
Monday, February 6, 2017
Defeating the IAP emulator
A few posts ago, I've mentioned a certain Android app that emulates valid in-app purchases on rooted Android devices. I also mentioned that this app goes as far as shorting out the digital signature check code, so that apps that do due diligence and check the IAP signature against the Google public key are fooled, too.
I've been suspecting all along that the IAP emulator does this by tapping into the Android system library, so that the built-in signature check function returns true regardless. That seems to be the case. The emulator struck again, but this time, my app had two signature checks - the system one and my homegrown version. And the latter check was the one that correctly reported a signature mismatch.
Normally, I'd be the first to recommend against reimplementing crypto primitives. But in this case, I do feel it's justified. Here's the code. SHA1 hashing is system provided, but the RSA signature check bits are custom. The function and its parameters are deliberately called vague names, just in case the pirate crowd goes through the trouble of introducing special-case processing for my case.
I've been suspecting all along that the IAP emulator does this by tapping into the Android system library, so that the built-in signature check function returns true regardless. That seems to be the case. The emulator struck again, but this time, my app had two signature checks - the system one and my homegrown version. And the latter check was the one that correctly reported a signature mismatch.
Normally, I'd be the first to recommend against reimplementing crypto primitives. But in this case, I do feel it's justified. Here's the code. SHA1 hashing is system provided, but the RSA signature check bits are custom. The function and its parameters are deliberately called vague names, just in case the pirate crowd goes through the trouble of introducing special-case processing for my case.
Friday, January 27, 2017
Meet the new boss, same as old boss
Google is full of surprises, aren't they?
Less than three months after they've unveiled the new, redesigned Payments Center, they've discontinued it and moved the functionality to the Play developer console. And it's not like they've moved the same pages to a different host; this is a redesign, both the internals and the UI are noticeably different, with some functionality removed, and some new bugs introduced.
On the brighter side, the new UI is more scrape friendly. It's still JavaScript-driven, with explicit protection against HTTP-only scraping. On the other hand, there's a very straightforward AJAX call that returns JSON with almost all I need to capture the order activity.
There's a glaring exception though. The November 2016 version of the Payments Center would expose a crucial number - estimated revenue in USD (more generally, the payout currency). Not anymore. Unless the order was in USD to begin with, there's no way of knowing what's my take until the end of the month.
Less than three months after they've unveiled the new, redesigned Payments Center, they've discontinued it and moved the functionality to the Play developer console. And it's not like they've moved the same pages to a different host; this is a redesign, both the internals and the UI are noticeably different, with some functionality removed, and some new bugs introduced.
On the brighter side, the new UI is more scrape friendly. It's still JavaScript-driven, with explicit protection against HTTP-only scraping. On the other hand, there's a very straightforward AJAX call that returns JSON with almost all I need to capture the order activity.
There's a glaring exception though. The November 2016 version of the Payments Center would expose a crucial number - estimated revenue in USD (more generally, the payout currency). Not anymore. Unless the order was in USD to begin with, there's no way of knowing what's my take until the end of the month.
Subscribe to:
Posts (Atom)