Hi, I am integrating the new Android Licensing scheme and was wondering how secure licensing would be if I just use Settings.Secure.ANDROID_ID as a unique device ID. The sample app uses this, but suggests using more IDs as this is a single point of attack. However, the Licensing docs seems to discourage the use of something like IMEI numbers just for licensing purposes, as this would require a READ_PHONE_STATE permission.
I wouldn't want to add that permission just for licensing, since my app doesn't using anything else in the Telephony stack, and users would probably be suspicious when they see this new permission. But there are some posts on the internet showing it is (was?) possible to spoof ANDROID_ID. Is this still the case? If so, for anybody, or just root users? How would that affect licensing in my app? For example, would it be possible for someone to spoof ANDROID_ID, buy apps, make the spoofed ANDROID_ID publicly available and so allow anyone who changes their ANDROID_ID to the spoofed one to get access to those apps? I guess one way around that would be to implement a device limiter, but that opens up a whole new can of worms, something that I would not want to do. So, is using ANDROID_ID "safe enough", or could someone suggest an alternative that doesn't require permissions? Thanks! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
