Unfortunately has a few problems: 1) The user has to have an internet connection on first load of the app.
2) If its via HTTP or some other well documented protocol, could easily have a hosts entry re-point where to ask for confirmation to a server that just responds "OK". This could be overcome possibly with a pub/priv key system of signing. 3) Should still be possible to get a copy of the apk, and remove the code block for that check I imagine... You're going to have a problem with piracy no matter what you do. Look at _every_ platform, and every form of copy protection, they all have piracy. The only exception to this that I can see is hosted services (like World of Warcraft, and websites), where all of the user data is stored some place that you have control over, and can check for validity on your side, with known-good code at run-time. Any time you put code/logic on a client side, it can be subverted one way or another... - Dan On Wed, Oct 14, 2009 at 1:38 PM, WoodManEXP <[email protected]> wrote: > > I am no security expert and have not thought this out all the way, but > could a workable solution to the pirating problem be something like > this: > > > 1. The market clients (like Google Market, AndAppStore, SlideME) could > record on their servers some kind of identifier about who bought the > app and perhaps what Android device it was bought for. They already > capture the who information. > > 2. Android apps that care can, on first launch, ask the user about > their identifier and what service they bought the app from. > > 3. The app, or the servers that support the app, can query, via http, > the market client service to ask did so-and-so get this app from you? > > 4. If an affirmative response can be had then the app is not pirated. > Otherwise the app is pirated > > Google Market, AndAppStore, SlideME, etc… will need to make such a > service available, via http. > > It would be straight-forward to generate a list of installed market > clients for the user to select from. The market clients may even be > able to supply the user identification so user does not need to enter > it. > > The application could retrieve from its servers the list of market > clients is believes are legitimate in order to prevent the bogus > clients from spoofing it. > > If you installed an app w/out a market client and the app did not > intend for such an installation to happen, like on rooted phones using > adb, then the app is pirated. > > And finally, could this process be invisible to the user and just > involve communication between the app and installed market clients and > the market clients servers and the apps servers? > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
