Android In App Billing public key in a public repository
I
wrote an open source app where I added donations through in-app checkout. Google says it wants to “hide” the public key ( see here).
Since the app itself is open source, everyone can compile it and change the key. Currently I have created a new project with a static class that returns a key. I use this class to get the key, so I don’t have a normal public key in my git repository. But is this really necessary?
If anyone knows my public key, what’s the worst-case scenario?
Thank you
Asparagus
Solution
I thought about this “question” and tried to answer it myself. Hope it works for anyone.
Note: If you’re planning to sell stuff and activate features through in-app purchases, you should confuse your key! My answer is only for open source apps!
Since I didn’t activate the add-on via in-app purchase, hackers can’t replace the key. He can’t get any additional features. Even if it enables certain features, since the app is open source, everyone can remove the conditions for checking purchases.
In other words, if someone uses a key in his app, I’m not sure what happens if he uploads the app to the dev console. I think in-app purchases fail because each uploaded app generates a new public key.
I would say you can include the public key in your public repository. I’ll include it too.