On Thu, Nov 17, 2011 at 4:50 PM, Ricardo Amaral <mas...@ricardoamaral.net> wrote: > I was thinking of implementing a coupon based system for my app so I could > offer some copies of the full version to some people. I found blog article > which provided the server code (to install on Google AppEngine) and the > client code to use on the app. I looked at the source code and realized the > way the system works (after the coupon has been validated and activated) is > with a simple a boolean variable with SharedPreferences. > > 1) My main question about this is, how safe is this? How easily is the > SharedPreferences file hackable on rooted devices to change that boolean > flag and "convert" an app to a full version even without a coupon code? >
Not very. > I'm talking about coupons here but they don't really matter. I thought about > using SharedPreferences before to handle a similar situation (ie: boolean > variable to control if the app is the full version or not). So the question > is really about SharedPreferences and how safe are they to control the > free/paid version of an app based on a boolean flag. If they are not safe, > is there any other way? > You can try validating on a server end of your app.. But in general, once you get root access you have control over the device. This leaves out anything on the sd card, which you should consider basically completely insecure. At the same time, this is probably a case where you should just suck it up. What's the probability that somebody is going to put enough effort into reverse engineering your app to change the flag when they could just buy it for a few bucks? Not really worth worrying about the .01% of people who would, (and honestly, probably 0%). > 2) My second question and now related to the coupons system but we can look > at this as validating and activating an app through the Internet. The idea > is that I just want to activate the full version of my app to someone, > temporarily, some sort of a trial. > > The problem is the deactivating part. Let's say I disable the full version > for a specific device on the validation server. If the user doesn't open my > app while connected to the Internet, the app will always be on "full mode" > and there's nothing I can do about it. Or is there? > Sure there is, have the program validate itself before each run and default to doing nothing. So if they have no internet access you pop up a window saying "you must be connected." kris -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
