The OUYA In-App Purchasing API Is Crazy Broken

If you don’t know about the OUYA game console, you’re one of the lucky ones. The makers of the Android-powered box have promised to “crack open the last closed platform”—video game consoles—but they’ve had no end of problems. Its developers haven’t responded to requests to comply with their software licensing agreements, its controllers are of insanely poor quality, and The Verge gave it one of the lowest review scores in the history of its magazine.

What I want to highlight here: the naiveté of the people who wrote their In-App Purchasing API. Here’s what it says about decrypting receipt purchases:

The receipt decryption happens inside the application to help prevent hacking. By moving the decryption into each application there is no “one piece of code” a hacker can attack to break encryption for all applications. In the future, we will encourage developers to avoid using the decryptReceiptResponse method. They will need to move the method into their application, and perturb what it does slightly (changing for-loops to while-loops, and so forth) to help make things even more secure.

They’ve got to be kidding. I, too, want the encryption of my purchase orders subject to the whims of compiler bytecode optimizations. Do yourself a favor and check out the page yourself. Notice anything else funny about it? I’ll give you a minute.

As the Verge points out,

there are often no confirmation boxes or checks against you spending thousands of dollars. Oh, you hit Upgrade because it’s right next to Play and the controller’s laggy? Perfect. Thanks for your money.

The system doesn’t enforce any kind of confirmation system for in-app purchases. As the developer of an OUYA game, you can make any number of purchases you’d like on the behalf of your customers, and do so in such a way that they have no idea that it’s happening.

Holy hell.