是的，我读过所有的文档@ developer.android.com，我也明白这一切有一个基本的异常 - 它引入了

YES, I've read all the docs @ developer.android.com and I do understand it all with one basic exception - what it was introduced for.

由于来自谷歌的所有订单反应中起得的签署人迹罕至逐人私钥，并通过成对的公共密钥被验证（在我的情况下外部服务器上，所以它也无法访问的第三人）有简单的（几乎）没办法欺骗。

Since all order responses from Google Play come signed by inaccessible-by-anyone private key and are being verified by paired public key (in my case on external server, so it is also inaccessible for third person) there's simply (almost) no way to spoof.

所有这些随机数是固定的购买只是多余的方式。而且更重要的是，该文档说一无所知的情况下，当：

All those nonces are just redundant way of securing the purchases. And what's more, the docs say nothing about the situation, when:

在我购买物品; 生成随机数，并将其发送给谷歌播放; 没有出车祸，所以我所有的知不重的丢失; 让我的应用程序重新启动，并得到了回调，从谷歌播放; ...而拒绝这一呼吁，由于已经不承认现时！ I purchase an item; Generate nonce and send it to Google Play; Have a crash, so all my known nonces are lost; Have my app restarted and got callback from Google Play; ...And reject this call due to having not recognized nonce!

在上述情况下用户描述的支付项目，从来没有得到它，什么是可耻的。当然，我可以存储在随机数的一些文件，并重新读取它时，我的应用程序回来，但它违反所有的原则随机数。

In described above situation user pays for an item and never gets it, what it's shameful. Of course I can store nonces in some file and re-read it when my app gets back, but it violates all the principles for nonces.

恕我直言，有人只是说：嘿，验证过程过于简单，让我们添加一些更具有随机性，这会是这样多爽！。 因此，有人做了。

IMHO someone just said "Hey, the verification process is too simple, let's add something more with randomness, it's gonna be way more cool!". So someone did.

或者，你会打开我的心给其他用例我缺少什么？ 否则，我是从我的code删除整个随机数组成部分。

Or, would you open my mind to some other use-case am I missing? Otherwise I'm removing whole nonces part from my code.

推荐答案

您不必对现时保存到磁盘考虑到一个应用程序崩溃。

You don't need to store the nonce 'to disk' to account for an app crash.

当你的应用程序崩溃是的，你将失去你知不重的列表。然而，当你的应用程序重新启动，您会收到 IN_APP_NOTIFY ，那么你需要做的另一个 GET_PURCHASE_INFORMATION 当你做到这一点 GET_PURCHASE_INFORMATION 您将生成一个新的随机数，并把它添加到已知列表中随机数。

When your app crashes yes you will lose your list of known nonces. However when your app restarts and you receive an IN_APP_NOTIFY you then have to do another GET_PURCHASE_INFORMATION when you do this GET_PURCHASE_INFORMATION you will generate a new nonce and add it to the list known nonces.

您有什么要记住的是随机数为每 GET_PURCHASE_INFORMATION 一（这将返回多个采购项目）每件而不是一个随机数是买的。

What you have to remember is the nonce is one per GET_PURCHASE_INFORMATION (which returns you multiple purchased items) not one nonce per item that is bought.

正如你说你已经实现了你自己的方式，以避免重放攻击，但使用的是随机数是，一旦这样的安全的方法

AS you've said you've implemented your own way to avoid Replay Attacks, but using a nonce is once such secure method