question

Ruben avatar image
Ruben asked

IAP SDK not responding in sandbox mode due to permission issue

IAP SDK version: 2.0.76

This issue is present in the version 3.0.3 of the AppStore SDK as well.

We have a problem with the IAP sandbox mode not responding at all after invoking PurchasingService.getUpdates(true)

After investigating, I found out that the issue is related to a permission required by the ResponseReceiver we have to declare in our AndroidManifest:

W/BroadcastQueue: Permission Denial: broadcasting Intent { act=com.amazon.inapp.purchasing.NOTIFY flg=0x10 pkg=redacted (has extras) } from com.amazon.sdktestclient (pid=9055, uid=10287) requires com.amazon.inapp.purchasing.Permission.NOTIFY due to receiver redacted/com.amazon.device.iap.ResponseReceiver

This problem seems to have started out of nowhere, as we didn’t have this issue a couple of weeks back.

The documentation for this ResponseReceiver states the following: https://developer.amazon.com/docs/in-app-purchasing/iap-implement-iap.html#responsereceiver

<receiver 
      android:name="com.amazon.device.iap.ResponseReceiver"
      android:permission="com.amazon.inapp.purchasing.Permission.NOTIFY" >
    <intent-filter>
      <action android:name="com.amazon.inapp.purchasing.NOTIFY" />
    </intent-filter>
</receiver>

However, the official IAP samples contain a different AndroidManifest setup:

<receiver
    android:name="com.amazon.device.iap.ResponseReceiver">
    <intent-filter>
        <action
            android:name="com.amazon.inapp.purchasing.NOTIFY"
            android:permission="com.amazon.inapp.purchasing.Permission.NOTIFY" />
    </intent-filter>
</receiver>


This apparently works, but it doesn’t match Google’s official recommendations for secure BroadcastReceivers: https://developer.android.com/guide/components/broadcasts#receiving-broadcasts-permissions

My guess is that it works because it's actually not protecting the Receiver at all.


So this leaves me with the following questions:

  1. Why is the IAP sample’s AndroidManifest configuration different than the official documentation?

  2. Is the BroadcastReceiver in the IAP sample really protecting against broadcasts sent from other apps? I’m not sure if the permission attribute inside the action block does anything

  3. Is there a way to disable sandbox in debug builds? Disabling sandbox mode using this command didn’t work: adb shell setprop debug.amazon.sandboxmode none
iap
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

0 Answers