We're building a mobile app that uses Cybersource for in-app purchases and subscription handling. Standard implementation works fine for apps distributed via Google Play and the App Store.
However, we're considering allowing users to download the APK directly from our website as well (for regions where Play Store access is limited). Our concern is: how do we handle receipt verification when the app is installed as a raw APK, especially if users might be running modified versions of the app (e.g., modded APKs like GTA 5 mod apk from third-party sources like HappyMod)?
Specifically:
Does Cybersource offer any server-side validation that can distinguish between legitimate purchases made through our app versus purchases spoofed in a modified client?
What's the best practice for receipt validation when you don't have the Play Store/App Store receipt chain?
Are there any sandbox testing strategies to simulate modded client behavior to ensure our backend validation is secure?
We want to support flexible distribution but obviously need to protect against fraud. Any insights from folks who've handled similar scenarios would be appreciated.
