Not sure if I read correctly, but it appears this can work for an app that was NOT purchased through the Android Market app. The requirements are that the app is published in the Android Market and that the Android Market app is available on the device.
Could this mean Google will soon open up payment for apps outside of the Market app? On 27 July 2010 20:59, Raymond C. Rodgers <[email protected]> wrote: > On 7/27/2010 2:53 PM, Trevor Johns wrote: > >> On Tue, Jul 27, 2010 at 11:42 AM, Raymond C. Rodgers < >> [email protected] <mailto:[email protected]>> wrote: >> >> I'm not sure that this is inherently insecure. Yes, it does use >> libraries and a public key that will be embedded in the >> application, but public keys are designed to be shared. All the >> client side is doing is verifying information encrypted with the >> private key which isn't accessible, and providing that information >> to the application for it to manage as the developer decides. I >> may not have my security "A" game going today, but that sounds >> reasonably secure to me. The private key isn't even made available >> to the developer as I understand it, so the developer doesn't >> really have the option of shooting themselves in the foot with it. >> >> >> In many ways, it's more secure to have the code embedded in the >> application (which is why we designed the library this way). >> >> If the license check was performed solely by the OS, an attacker could >> just use a modified firmware image to bypass the checks for all applications >> on the system. >> >> <http://groups.google.com/group/android-developers?hl=en> >> > Agreed. After I wrote my part above, I even thought of another > possibility... I haven't checked the API thoroughly, but it maybe possible > to store the public key on your own server, protected as you see fit, then > when you do your licensing checks, you download the public key through > whatever secure mechanism you feel is sufficient, do the check, and then > discard the public key. > > Raymond > > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected]<android-developers%[email protected]> > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
