In order to add another layer of security, you can also put a check to identify if the payload that is passed on to your server was initially generated for your app (package name) itself. The payload that you receive in the success response has a field with a key as “verifier”. Here, you need to generate HMAC SHA256 of your package name, using your appKey (partner key) as a secret.
(The appKey mentioned here is the one that you generate from our developer portal).
The output that you get from above should match the verifier value received in the payload. In case it doesn't, which means that the payload that was generated was tampered.