Honouring in-app purchases offline + removing cancelled purchases

Question

The approach involved with the two items in the title of this post appear to conflict with one another and are very hard to test, and it\'s these edge cases that result in u

Answer 1

IMHO, locally storing the getPurchasesList() response is absolutely fine. I'll elaborate a little bit more.

It all depends what's your threat model: for me, the user can't alter the app code itself nor access the private storage of the app. If a user could do that, then everything falls apart as the user can happily remove or skip the code that limits the app features.

So, given a threat model of an user unable to alter the app nor access the app private storage, you can easily cache the getPurchasesList() response token and use it when the device is offline.

Obviously, any update to the token must be reflected to the cache as well. (e.g. expired or refunded states)

I also agree with you that Google doesn't provide enough information on how to deal with edge cases, they just show the happy case where everything perfectly works.

I must admit I didn't thoroughly look at the sample apps they provide: https://github.com/android/play-billing-samples