Using the unique ID (hash) of the phone, register it with your web
service on install.
Then employ PKI to authenticate your app on each launch.
On your web service sign a string containing the hash, timestamp, and
a short expiration timestamp.
Then have your app use your public key (in the app) to authenticate
the string, verify the timestamps, and complete
the launch if valid, otherwise abort the launch or offer the user to
come clean and install.
To prevent code modification--bypassing the check--don't include all
of the code in the app.
Keep some of it on the server and only send it to the app if the check
takes place and passes the check.
This way the app will not function correctly unless the check is
performed and passes.
Create a set of one-off methods (dummys that just pass through) that
you can dynamically use with each app instance; since you
are in control of the download (unlike Market publishers), you can
dynamically build and package a unique app for each instance
downloaded.
This way no two apps use the same method and a hacker is up a creek as
far a patching the code
and replicating it to the community. When one instance is cracked, and
it will be, then your server can cancel that hacked instance
without effecting all of the other valid users. This will create a
string disincentive, because no two app are the same, codewise ;-)
Maybe we should start a service and offer Android publishers a secure
distribution service, unlike the Market.
There is no way to register (stamp an app with a phone id) downloads
from the Market prior to installation.
As it stands now publishers have no way to verify if their app was
downloaded from the Market or copied and installed by other means.
If there is I would like to know. I've asked but I never get replies
regarding this advanced topic. Most publishers are still learning to
just create apps, let alone seek out secure distribution and customer
behavior--only Google enjoys this privilege, currently.
Here's a method snippet for getting the unique ID and hashing it:
String getPhoneID(){
MessageDigest digest;
try {
digest = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("this should never happen");
}
String srvcName = Context.TELEPHONY_SERVICE;
TelephonyManager telephonyManager =
(TelephonyManager)getSystemService(srvcName);
/* requires READ_PHONE_STATE permission */
String deviceId = telephonyManager.getDeviceId();
if (TextUtils.isEmpty(deviceId)) {
return "";
}
byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
12);
id = id.replaceAll("/", "_");
return id;
}
On Nov 14, 7:12 am, jax <[email protected]> wrote:
> I am wondering how I might go about securing a paid app on Android.
>
> I am thinking of selling the application from my own website via
> PayPal, however, how will I stop people from sharing it with their
> friends etc. Does Android have any type of native support for this?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
