javaandroidkotlingoogle-playinstall-referrer

User migration to a new app using old auth token - InstallReferrer custom parameter


I have two app on Google Play. The old and new one. And I would like to use old auth token to the new app to be easier for users.

  1. On the old app, the user has a popup to install the new app on Google Play.
  2. I would like to pass the auth token in parameter to Google Play.
  3. After new app has been installed, I would like to save the token in the new one app.

I tried to use Play Install Referrer Library but it didn't work.

The other way was to use SharedPreferences but MODE_WORLD_READABLE has been deprecated.

Old APP :

try {
    Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse("market://details?id=com.<PACKAGENAME>&token=pokpok&refresh_token=lolol"));
    startActivity(intent);
} catch (Exception e) {
    e.printStackTrace();
    startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("https://play.google.com/store/apps/details?id=com.<PACKAGENAME>?token=pokpok&refresh_token=lolol")));
}

New APP code :

    private fun shouldGetTokenFromOldApp() {
        mReferrerClient = InstallReferrerClient.newBuilder(this).build()
        mReferrerClient.startConnection(object : InstallReferrerStateListener {

            override fun onInstallReferrerSetupFinished(responseCode: Int) {
                when (responseCode) {
                    InstallReferrerClient.InstallReferrerResponse.OK -> {
                        // Connection established
                        val response: ReferrerDetails = mReferrerClient.installReferrer
                        val url = "https://play.google.com/store?${response.installReferrer}"
                        Log.d("APP", "Token old app 1 : $url")
                        val uri: Uri = Uri.parse(url)
                        val token = uri.getQueryParameter("token")
                        val refreshToken = uri.getQueryParameter("refresh_token")

                        Log.d("APP", "Token old app 2 : $token - $refreshToken")
                        mReferrerClient.endConnection()
                    }
                    InstallReferrerClient.InstallReferrerResponse.FEATURE_NOT_SUPPORTED -> {
                        // API not available on the current Play Store app
                    }
                    InstallReferrerClient.InstallReferrerResponse.SERVICE_UNAVAILABLE -> {
                        // Connection could not be established
                    }
                }
            }

            override fun onInstallReferrerServiceDisconnected() {
                // Try to restart the connection on the next request to
                // Google Play by calling the startConnection() method.
            }
        })
    }

Solution

  • This sounds like a nice thing to do for users, but seems very dangerous. You are sending an Auth token - something which if someone has it could allow them to login as that user anywhere off through untrusted systems like world readable files or referral parameters in URLs.

    If you really need to do this, I'd suggest using some form of inter-app RPC (IPC) to communicate the token after the app is installed. One option would be a binder to a service that supplies the auth.