Fovea.Billing

The In-App-Purchase Backend Solution for Cordova Developers

Connect with Google


Connect Fovea with the Google Play Developer API will enable useful features:

  • Detect subscriptions renewals even if the app is not launched.
  • Get access to more information about purchases:
    • has a transaction been cancelled
    • what is the expiry date of a subscription
    • is it in grace period or account hold (pending renewal of the payment method).
  • Enhanced security:
    • data fetched from Google API is more trustable that data sent by the client

Read more

Here’s an excerpt from Google’s recommended Security Best Practices document.

It’s highly recommended to validate purchase details on a server that you trust. By implementing your signature verification logic on a server, you make it difficult for attackers to reverse-engineer your APK file. This preserves the integrity of the signatures that your logic checks.

Not only Fovea’s service validates the signatures, it also takes a number of extra steps to ensure an attacker isn’t trying to unlock a product or subscription with a valid but unrelated receipt or one that has already been used in the past.

For additional security, we let you link your Fovea.Billing account with a Google account that has financial permissions on Google Play. Doing so will allow our service to request purchases and subscriptions statuses using Google Play Developer API.

This step is particularly useful because attackers cannot create mock responses to your Play Store purchase requests.

It also lets the server identify transactions that have been canceled and give your app access to information that can be useful to display (cancelation date and reason, payment state, expiry date, etc).

The list of additional fields and their meaning is documented in the official documentation: see here for subscriptions and there for other types of purchases.

1. Enable the Play Developer API

In order for our servers to communicate with Google on your behalf you need to provide a set of service credentials.

First, your Play Developer account needs to be linked to a Google Developer Project. From there will create a service account and grant Financial permission to it. Finally, we’ll setup the service account credentials in Fovea.Billing.

It takes more than a few steps (be ready for somewhere around 10-15 minutes), but it’s worth it!

1.1 Create a Service Account

  1. First, let’s go to your Google Play Console
  2. Select All apps > Settings > Developer account > API access.
  3. From the Getting started section, hit Link to connect a Google Developer Project. (or Create a New Project if none are listed…)
  4. From the same API access screen, select Create Service Account.
  5. You are shown a link to the Google API Console, follow it.
  6. From there, + Create Service Account.
  7. Fill in the form (set name and description to whatever suits you)
    • Select the Role: Project > Owner
    • Then click Continue
  8. Create a Key > format JSON

      • This will download a JSON file on your computer. Keep it safe.
  9. Finalize by clicking Done.

1.2 Setup account permissions

You can now close the Developer Console and come back to the Play Console.

  1. Click the Grant Access button next to the newly created Service Account.
  2. Set the Role to Finance, add the Manage orders permission. This should look like this:
  3. Save

1.3 Save the credentials in your Fovea account

Back to your Fovea.Billing account, copy-paste the content of the JSON document into the Google Play Service Account field and Save.

Important!

It can take up to 24 hours for your Play Service Credentials to work properly with the Android Developer API.

There is a trick that can force a refresh of Google’s access rights. Create a new dummy In-App Product in the Google Play Consoel, you can remove it later.

2. Enable Real-time developer notifications for your app

To prevent any lag in the detection of renewal, cancellations or other potential changes to subscriptions and purchases statuses, Google provides a server-to-server notification mechanism. We will setup it up with a few more steps.

A quick explanation:

  • The Pub/Sub API is a service from Google Cloud that lets applications send messages to each others. It’s used by Google Play to send real-time notifications.
  • In this API:
    • a Topic is a collection of messages and permissions. Some users are allowed to publish messages to the topic, some user are only allowed to read messages.
    • a Subscription gives access to a Topic. A type of subscription called “push” subscription” will call a webhook when a message is published.
  • In our context, messages will be purchase related events.

We will now:

    • Enable the API for your project
    • Create a Topic where “Google Play” can publish messages.
    • Create a Subscription that calls Fovea’s dedicated endpoint.
    • Tell “Google Play” what Topic to publish to for your app.

2.1. Enable the Pub/Sub API

You must have a Google Cloud Project with the Cloud Pub/Sub API enabled.

  1. Click here to enable the Pub/Sub API from the Google Cloud Console.
    • Select the project you created earlier (Create a Service Account, Bullet 3).
      If you didn’t change the defaults it has been called “Google Play Android Developer
    • Click the Enable button.

2.2. Setup a Topic

Still from the Google Cloud console, Create a Topic with an ID of your choice (link: https://console.cloud.google.com/cloudpubsub/topicList)

  • Click Create Topic
  • You can keep “Use a customer-managed encryption key (CMEK)” unselected.

Give Google Play the permission to send messages to this topic:

  1. Select the Topic you just created
  2. Open the “Permissions” tab
  3. Click “ADD MEMBER“.
  4. Then fill in the form with those values:
  5. Save

2.3. Create a Subscription

We will then add a Subscription to this Topic.

  1. From the Topics page, open the contextual menu for your newly created Topic and select “Create subscription“.
  2. Fill in the details.
    • Subscription ID: it’s up to you.
    • Delivery type: Push
    • Endpoint URL: to be retrieved from your Fovea Settings.
    • Expiration: Never expires
    • Retry policy: Retry after exponential backoff delay
      • Min: 10
      • Max: 600
    • Here how this will look like:
  3. Click Create to confirm.

2.4. Link with Google Play

We will now link this subscription to Google Play.

    1. Open the Google Play Console.
    2. Select your app.
    3. Go to Monetize > Monetization Setup (it’s at the very bottom of the sidebar menu).
    4. Find the Real-time developer notifications section. In the Topic name field, enter the full Cloud Pub/Sub topic name that you configured earlier. The topic name should be in the format of projects/{project_id}/topics/{topic_name} where project_id is the unique identifier for your project, and topic_name is the name of the topic created earlier.
  1. 2.5 Test

    1. Click Send test notification to send a test message. Performing a test publish helps to ensure that everything is set up and configured properly. If the test publish succeeds, a message is displayed stating that the test publish was successful. In Fovea’s Dashboard, you should see that a new Event has been received:
    2. If the publish fails, an error is shown. Ensure that the topic name is correct and that the [email protected] service account has Pub/Sub Publisher access to the topic.

All good? Click Update Topic and we’re done! For more details about real-time developer notifications, see here: developer.android.com

3. Pricing

A quick note about Google Cloud Pub/Sub pricing, from Google:

Message ingestion and delivery are priced per volume of data transmitted in a calendar month. The first 10 gigabytes of usage are free. After that, the price for ingestion or delivery of messages is $40 per TiB.

Messages sent by Google Play being about 1kB, the free plan includes about 10,000,000 such messages per month, a majority of which sent when you receive a payment. The $40/month not be an issue when you reach that stage.

Ref: https://cloud.google.com/pubsub/pricing

4. Troubleshooting

Error:

The project id used to call the Google Play Developer API has not been linked in the Google Play Developer Console

Sometimes Google doesn’t apply changes you made to your account’s permissions…

Possible solution:

  • Create an In-App Product in your app, that you can delete right after.