So, I've been trying to use the Google Play Developer API in our app directly via HTTP requests, and we have a service account that can communicate with the API. Specifically, I'm going to use it for subscription tracking (expiry time, purchase state etc.)
I already have access_token, refresh_token, client_id and client_secret which is encrypted in the app as binary. It is possible to get responses from the API directly, I can tell it works, and I'm fairly sure the method to store the information is secure enough.
Considering this, I was wondering if it is a good idea to use the developer API directly on devices because I don't have a backend server that powerful to secure the connection in between. Would the sent-received information be considered as sensitive and should be completely protected? Or using HTTPS (as developer API requires) is enough?
I'd also like to know if Google permits the usage of developer API in multiple devices (I'm talking about more than 100k devices) instead of from a secure backend server, or if it is completely forbidden and goes against their policy to use it from multiple devices, and that the API has to be used from a backend server directly.
Does anybody use the developer API HTTP calls directly in devices? If you do, can you tell me if you have experienced problems regarding to security or policy? Or, do you know that using it is already forbidden?
Any help is appreciated, thank you.
Side note: I am aware that using a secure backend server is a better option for this occasion, but I'm asking this because I can't use it. Please keep that in mind before answering & commenting on this question, thank you.
from Using Google Play Developer API from Android devices directly
No comments:
Post a Comment