Hello Utel,

 

If you haven't already, I would highly recommend the following article outlining digital goods associated with your application:

http://docs.blackberry.com/en/developers/deliverables/33895/Registering_your_virtual_goods_1314130_1...

 

Some specific areas of interest include:

1) License type: Can be set to a 7 or 30-day subscription model.

2) Initial trial period: Different than "10 uses" but you can set a specific number of days before the user would need to purchase the digital good.

3) Renewal price: To automatically renew a subscription.

 

Please note that the dynamic license model refers to the license key that the end user is sent. If you use a dynamic model, you will need to supply your own license generation algorithm as outlined in the article above.

 

Applications, and digital goods, are tied to a users's BBID. If they were to switch devices and re-activate their BBID on that new device, they would have access to their previously purchased items.

 

I do not believe there is an automatic status change notification that is send to vendors, however through the use of PaymentEngine.getExistingPurchases(), you can query the current status of a digital good to see whether it is purchased. You could use this in conjunction with your 10 trial messages (in lieu of the trial period) to see whether the item is currently purchased before prompting them.

 

Erik Oros

BlackBerry Development Advisor

Hi,

Thanks for your reply. I've carefully read this documentations.

But, for the matter of security, and to not allow other people to use our chat community service without fee, I need a server side verification process. The aim is to keep my servers continuously aware of any customer payment status (trial period, payed, renewed, canceled, refunded), and to allow them to check it (or to be informed of it by RIM servers).

I want to prevent me from another developer wich could develop a basic application to use our web service with no fee. Since RIM seems to not provide a web service to check a payment ticket on server side, I do not see how to do...

Maybe I miss something... ??
Could you give me more details on how to do that, please ?

Regards.

Hello Utel,

 

You could leverage PaymentEngine.getExistingPurchases() on the application side and submit the data to your servers every now and then (i.e. when the application starts, or have a background application that polls every X amount of time.) You would then have a fairly up to date copy of this information on your servers that you could leverage.

 

Alternatively, requiring user credentials (i.e. they need to sign up for an account with you in order to use the web service) would also be an approach. Any unrecognized user would be denied access, and you could implement a client-side check on the status of the purchases to ensure they are able to make the necessary calls.

 

The remainin scenario is a valid user using the alternate application. In that case, you would again need to make the comparison against server-side information which circles back to submitting purchase status information occassionally to your servers.

 

FInally, instead of polling the status constantly, there is only really one time that you would really need to update the status of the purchase: when the user makes the purchase.  So when they buy the subscription, you could notify your server and set an expiry date for that user/device PIN/etc. On subsequent web service calls, you can check that the request is within the expiry window. You would then only need to update the expiry when the user makes another purchase (i.e. renews their subscription.) This could also be combined with polling on the client-side as a two-tiered check.

 

Erik Oros

BlackBerry Development Advisor

Hello Erik Oros,

After reading your post, the solution seems to use a dynamic licence with client payment status updates. I undestood the client could give the transaction ID of the last existing purchase and our web service compare it to the known transaction ID for this user.

I still have two questions :
Does the PIN given by RIM payment server is the same PIN used on BlackBerry smartphones ?
Does the web service will be informed of renewal by RIM payment server ? (otherwise, the risk to have fake informations from an alternate application still the same)

Many Thanks.

Hello Utel,

 

Can you please clarify which PIN you are referring to that is returned by the payment server?

 

As for the renewal, there wouldn't be an automated notification to your server. The subscription virtual goods are designed to give timed-access to specific application functionality and automatically re-charge the customer as required.

 

It seems the concern here is that a user can create an application themselves to access your public web service and retrieve content directly. You are attempting to leverage virtual goods in order to prevent such access, but it may be simpler to break this down into two main focusses:

 

1) Limit your in-app functionality based on the status of the subscription by checking PaymentEnginge.getExistingPurchases; and,

 

2) Retrict access to your Web Service by unauthorized parties. Some idea would be requring user credentials in the request, server-side encryption and client-side decryption of the web service results, etc. This is an implementation that would be dependant on what you feel is most secure but the issue attempting to be solved here (unauthorized access to your web service) is somewhat removed from the purpose of a subscription digital good. The concern isn't just faking a web service request from another application, but from anywhere really (i.e. desktop.)

 

Let me know if you have any questions.

 

Erik Oros

BlackBerry Development Advisor

Hi Erik Oros,

Thanks for your reply.

However I still have questions. Maybe I didn't explain myself clearly. Let me exposed this in an other way :

Currently, our customers can access to our service using different connection methods including our BB apps and a web site. Every customer has a user account with a login/password to access to the chat environnement.

After a trial time period, customers have to subscribe to the service. Our general terms specify that the subscription will be renewed automatically, even if the does not connect with the BB app. That means, a user could subscribe on the BlackBerry client application, chat on it, use his account on the web, and use it again on the BlackBerry client application 40 days after, for example.

That's why, UTEL servers must be synchronized with RIM payment server to check customers payment status.  And so, we must be able to process the check regardless of the run or not run of the BB app.

We already implement this kind of process with other vendors plateforms. They provide a web service which allows us to update our customers payment status database from the payment servers.

Does RIM can provide a solution for that ? Could you help me to find a way to do it with BlackBerry ?

Many thanks for your help.

Hello Erik Oros,

Thank you very for your clear answers.

I think we'll apply the second solution with encryption for client/server communications.

I have a very last question on payment :
With dynamic licence model, RIM payment servers send a request like
PIN=12341234&email=customeremail@email.com&product=product&version=1.2&transactionid=123&test=false

Does the PIN number correspond tothe PIN that we can get on client side with DeviceInfo.getDeviceId() ?

Thanks again.

Hi Utel, that's right. The PIN is the unique identifying PIN of the device which can be retrieved with that API.

 

A sample for converting the int to a hex string can be found here:

http://supportforums.blackberry.com/t5/Java-Development/Blackberry-PIN/m-p/190030/highlight/true#M25...

 

Erik Oros

BlackBerry Development Advisor