If what you want is to be able to give out free copies to some users, implement another unlocker, that is similar to the paid premium unlocker you're planning for Market, but is free.
Encrypting preference data has nothing to do with LVL per se, and does not require that the app is paid or free. Whatever encryption / obfuscation you choose to go with, make sure to throw in some device-specific bits, so your data file with the activation state won't work if copied to another device. -- Kostya 24 ноября 2011 г. 22:52 пользователь Ricardo Amaral < mas...@ricardoamaral.net> написал: > On Thursday, November 24, 2011 5:36:20 PM UTC, Kevin TeslaCoil Software > wrote: >> >> > I'm just >> > trying to understand how secure is SharedPreferences and what >> alternatives >> > are there, that's all. >> >> On a rooted device SharedPreferences absolutely can be tampered with. >> Same with any on-device storage. However this doesn't mean you can't >> use them. >> >> 1) Obfuscation. This is how Google recommends handling LVL data in >> shared prefs. This is not secure as someone could reverse engineer the >> obfuscator, but it makes it a pain in the ass and generally not worth >> it (easier to crack the APK itself). Check out the >> PreferenceObfuscator used for LVL: >> http://code.google.com/p/**marketlicensing/source/browse/** >> library/src/com/android/**vending/licensing/**PreferenceObfuscator.java<http://code.google.com/p/marketlicensing/source/browse/library/src/com/android/vending/licensing/PreferenceObfuscator.java> >> . It gives you stuff like this: <string name="5">h99XZgr >> +0i5N2SN0lEDu592x14RTrTj6/**VOCCnxGokeazVz9bfLW793kkXg01ka**BsJa1/</ >> string> >> You can seed the obfuscator with a device id of some kind to prevent >> users from just copying shared prefs from one device to another. >> > I haven't yet used the LVL but I'm thinking of using it for the paid > version of my app. However, my paid app will be a unlocker app, nothing > else and as you know, you can't use LVL on free apps. But it's the free app > that will check for the paid app > > 2) Server signed data. When you authenticate your coupon, instead of >> saving a "true" or "false", save a string from your server that is >> cryptographically signed. At the launch of the app you can verify this >> signature even without internet access. Again this is similar to the >> LVL approach. It might be too much work as crypto is very confusing. >> > --- >> >> Along the lines of what others are saying, don't invest too much in >> anti-piracy stuff. Release and see what happens, if no one cracks it >> then don't waste any more time. If it's cracked, look at how they did >> it and block it in the next update. Keep adding features in updates >> will keep current and future legit users happy, and have the pirates >> always playing catch up to the latest version until they get sick of >> it and just buy it. >> >> -Kevin >> > Again, this has nothing to do with piracy. Of course, I'll do a minimum > effort to prevent it but that's it, I will never waste too much time trying > to prevent piracy, that's a lost battle from the beginning. > > I simply want some sort of control where I can give out free copies to > some people. I could just give them the .apk and be done with it. But I > don't want to go down that road. I only came here asking about the > SharedPreferences security. If a rooted user can simply pull the file, > easily swap a boolean value from false to true and push the file back to > the phone. Than, in my opinion, it's a pointless way of validating a > license. That's all I wanted to know and all I asked :) > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to android-developers@googlegroups.com > To unsubscribe from this group, send email to > android-developers+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
