Ensuring Secure Purchases Using the Samsung IAP Server API

Jakia Sultana

Engineer, Samsung Developer Program

In-app purchases and subscriptions are the most common and popular ways to monetize an app. Samsung In-App purchase (IAP) is a payment service, which allows you to sell your in-app items that are distributed through the Samsung Galaxy Store. Samsung IAP offers an SDK for Android, Plugins for Unity and Unreal applications, and Server APIs. In this article, we will learn about how to implement Samsung IAP Server API in your app’s server.

Why you need to have your own server

In some cases, your app may experience network interruptions after an item purchase and payment transaction. Malicious attacks can happen which may create security issues in your app. Moreover, malicious users may get your premium contents without buying it if the content is embedded within the app. So, you can reduce these problems by using a server for your app to validate the purchase receipt, provide contents from the server and store the payment related data.

Why IAP Server APIs are required

Samsung provides IAP Server APIs to prevent malicious purchases and to handle these challenging scenarios. These APIs let you verify a purchase and get detailed information about a subscription. You will be able to know whether a subscription is going to expire soon, or the cause of the subscription cancellation from Server APIs. It will help you to manage subscriptions and to promote your content based on this data.

It is not mandatory to implement IAP Server APIs. You can communicate with the IAP Server directly from your app. However, if you want to validate the purchase receipt and get detailed information about a subscription then IAP Server APIs offer great flexibility.

A server-side application is required for implementing IAP Server APIs. Your application requests the server to fetch some data from the IAP server. Your server gets this data from the IAP server by using Server APIs and returns the data to your app. We will discuss this data flow process between an app, server and IAP server in two parts. In this blog, we discuss how to integrate Samsung’s IAP server API into your app’s server. In the second part, we will cover communication between your app and server.

Please go through the documentation of Samsung IAP SDK to integrate Samsung IAP SDK into your app. To know about server APIs, read Samsung IAP Server API. The following scenario gives you a snapshot of the communication between your app, server and IAP server.


Figure 1: Overview Diagram of Samsung IAP Server API


Here, we assume that you have completed your app successfully by implementing Samsung IAP SDK and registered it in the seller office to test in-app items. Now you are ready to create your app server.

Get Started

At first, let’s create a Java dynamic web application by using Servlet for the app server. Server API will be implemented here to communicate with the Samsung IAP server. For simplicity, we have created two servlets for processing the two requests. One is for validating a purchase of an item and another is to check out the status of a subscription item. The client app sends the request to the respective servlet. The respective servlet processes the request and returns the output. The client app executes a task as per the result from the servlet.


Figure 2: Communication with Servlets


Servlets

In Java, a servlet is a type of Java class which runs in a Java-enabled server and handles HTTP requests. We will need a web container that supports Servlet technology, so we have used Apache Tomcat 7.0 as a server. We have already mentioned creating two servlets for the two processes. Each servlet has three parts:

  1. Getting purchase ID from the client app
  2. Processing the specific task using this purchase ID
  3. Returning the result to the client app

Getting purchase ID from client app

The purchase ID of an item is required to verify payment transaction and to call getSubscriptionStatus. We need to send purchase ID from the client app to our server. Servlet receives that purchase ID in doPost() method.

int length = request.getContentLength();
byte[] input = new byte[length];
ServletInputStream in = request.getInputStream();
int c, count = 0 ;
while ((c = in.read(input, count, input.length - count)) != -1) {
    count += c;
}
in.close();

String recievedString = new String(input);
response.setStatus(HttpServletResponse.SC_OK);
String purchaseStatus = PurchaseVerification(recievedString); // to verify a purchase
String subscriptionStatus = ServerStatusVerification(recievedString); // to get status of subscription item

Verify a purchase

iap/v6/receipt enables your server and client app to verify that a specified in-app item purchase and payment transaction was successfully completed. Here, we use HTTP request to validate the purchase. A JSON Object is returned with detailed information of a purchase. See the following code snippet in PurchaseVerification() method for validating a purchase:

String PurchaseStatus="";

String url="https://iap.samsungapps.com/iap/v6/receipt?purchaseID="+PurchaseId;
   		
URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer res = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
   res.append(inputLine);
} 
in.close();
JSONObject myresponse = new JSONObject(res.toString());
PurchaseStatus = myresponse.get("status").toString();

Create a service token

A service token is needed to authenticate getSubscriptionStatus SOAP requests. At first, we need to create a SOAP Web Service Client from a WSDL file. So, we have generated JAX-WS portable artifacts from WSDL that can be packaged in a web application archive (WAR) file. JAX-WS-Stubs (artifacts) can be generated from a given WSDL using the wsimport.

The WSDL link is: https://iap.samsungapps.com/iap/ws/RTCService?wsdl

After generating JAX-WS portable artifacts, we have written a class called SubscriptionDetails to create service token using Secret ID. To know your secret ID, go to your Profile page and scroll to the information for Seller Page table.

RtcService rtcService = new RtcService();
RTCService2 rtcimpl = rtcService.getRTCServiceImplPort();
CreateServiceTokenResponse  serviceTokenOutput = new CreateServiceTokenResponse();
CreateServiceToken serviceToken = new CreateServiceToken();
serviceToken.setSecret(secretId);

try {
   serviceTokenOutput.setOutput(rtcimpl.createServiceToken(serviceToken.getSecret()));			
} catch(Exception e) {
}

Check subscription status

getSubscriptionStatus is used to get subscription status, item information, and purchase information of a specified Auto Recurring Subscription (ARS) item that was previously purchased. After getting the service token, we have used SOAP request to get subscription status in SubscriptionDetails class.

GetSubscriptionStatusWS subscriptionStatus = new GetSubscriptionStatusWS();

try {
  subscriptionStatus = rtcimpl.getSubscriptionStatus(purchaseid, serviceTokenOutput.getOutput());
} catch(Exception e) {}

return subscriptionStatus;

Finally, using the following code snippet in ServerStatusVerification() method we can get the subscription status:

SubscriptionDetails Sub = new SubscriptionDetails();
GetSubscriptionStatusWS subscriptionStatus = new GetSubscriptionStatusWS();
subscriptionStatus = Sub.SoapData(PurchaseId);
String Status = subscriptionStatus.getSubscriptionStatus().toString();
return Status;

Return the result to client app

Now return the result of PurchaseVerification() or ServerStatusVerification() method to the client app.

OutputStreamWriter writer = new OutputStreamWriter(response.getOutputStream());

writer.write(status);
writer.flush();
writer.close();

Testing

Let’s test the application. Call PurchaseVerification() or ServerStatusVerification() method by passing a purchase ID in doGet() method and call doGet() method in doPost() by passing the request and response.

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException 
{
    String x = ServerStatusVerification("3fc70af0a118909d0c8b04eaa1eaee823795c982fc8e39f87faa12c58be43f05");
}

Run the app on the Apache Tomcat 7.0 server. If your servlet works perfectly then create a .war file for this java application. There are many cloud service providers such as AWS, Heroku which you can use for your server. After creating a .war file, deploy it on a cloud. Get the URL of your app from the cloud service provider and use that URL to test the server APIs by using any browser.

Conclusion

Server application is not only useful for security issues but also helpful for marketing. If you provide same premium contents in the multiple platforms, then you can use this server application for all applications. You can keep a record of the detailed information of purchased items and subscriptions which can be helpful for your business in many aspects. For example, you can store your user’s subscription status. Based on this data, you can promote a new item, provide offers to potential users and give recommendations to the new users.

We are at the end of this article and hope you found the information helpful. See the next blog for part two.

Follow Up

This site has many resources for developers looking to build for and integrate with Samsung devices and services. Stay in touch with the latest news by creating a free account or by subscribing to our monthly newsletter. Visit the Marketing Resources page for information on promoting and distributing your apps. Finally, our developer forum is an excellent way to stay up-to-date on all things related to the Galaxy ecosystem.