Hello Guys,

I have a security vulnerability  for misusers in my app regarding to in app billing plugin usage. I realized that when someone ones to download and unpack my apk file , onecan easily see the codes when the successhandler for purchase() function finished . I mean  what is running in the backend just after getting the payment on google play store is visible. How can I hide and make it more secure?

In detail , after completing initalizition and purchasing credits from google play store , I am running a php link with user parameter and credit amount parameter with XMLHttprequest protocol ,so when unpack the apk it is all clear one can easily manipulate and uses the link formation and install credits to its account easily. How should I figure out complete steps ? How can I send and get  parameters (userid, creditsamounttobe intalled)  to site backend  php web site link from mobile app with encyrted way.

Can you help about this ? 

    function successHandler (result) {
                var strResult = "";
                if(typeof result === 'object') {
                    strResult = JSON.stringify(result);
                } else {
                    strResult = result;
                }
                console.log("buy_SUCCESS: \r\n"+strResult );
                consumePurchase(creditsQuanitity);

   /****

My web site backend link for installing credits on the user account according to credit purchased.

 I am using  XMLHttpRequest to send the parameters to website.

    var xhr = new XMLHttpRequest();
    xhr.open("POST","***************/api/init/?mycred=deneme"+"&user_id=" + userID+"&amount="+amount +"&kategory="+kategory);

***//

               
               
            }