You should verify purchase details that your app receives in before providing the user access to what they have purchased.
There are 2 ways how you can verify purchases made by a user.
Verify a purchase on a device
If you cannot run your own server, you can still validate purchase details within your Android app.
To help ensure the integrity of the transaction information that is sent to your application, Google Play signs the JSON string that contains the response data for a purchase. Google Play uses the private key that is associated with your application in the Play Console to create this signature. The Play Console generates an RSA key pair for each application.
The Android Native already does this for you. And if client verification is failed we will send the purchase error.
Note: It's highly recommended to verify purchase details using a secure backend server that you trust. When a server isn’t an option, you can perform less-secure validation within your app.
Verify a purchase on a server
y implementing purchase verification logic on a server, you can protect your app from attackers who try to reverse-engineer your APK file and disable its verification logic. To verify purchase details on a secure backend server, complete the following steps:
From you app, send the purchase token and user account credential to your secure backend server. The secure backend server should associate the purchase with the user after verification has succeeded.
After you get the token from the app:
Use the Subscriptions and In-App Purchases portion of the Google Play Developer API to perform a GET request to retrieve the purchase details from Google Play (
Purchases.productsfor a one-time product purchase or
Purchases.subscriptionsfor a subscription). The GET request includes the app package name, product ID, and a token (purchase token).
Google Play returns the purchase details.
The secure backend server verifies that the order ID is a unique value that doesn’t represent a previous purchase.
The secure backend server uses the user account credential received in step 1 to associate the purchase token with the user of the app instance where the purchase was made.
(optional) If you are validating a subscription and the subscription is being upgraded, downgraded, or the user has re-subscribed before the subscription has lapsed, check the
linkedPurchaseTokenfield in a
Purchases.subscriptionsresource contains the token of the previous, or “originating” purchase. For more about
linkedPurchaseToken, refer to
The in-app product is made available to the user.