What would happen if someone gets a new android phone? The app's authentication will fail.
You should hash/key on the user's google-account, the same key that is used by Android Market (you can download paid apps as often as you want - once you paid for them - based on your google-account) On Nov 15, 2:32 am, android kracker <[email protected]> wrote: > Using the unique ID (hash) of the phone, register it with your web > service on install. > Then employ PKI to authenticate your app on each launch. > On your web service sign a string containing the hash, timestamp, and > a short expiration timestamp. > Then have your app use your public key (in the app) to authenticate > the string, verify the timestamps, and complete > the launch if valid, otherwise abort the launch or offer the user to > come clean and install. > To prevent code modification--bypassing the check--don't include all > of the code in the app. > Keep some of it on the server and only send it to the app if the check > takes place and passes the check. > This way the app will not function correctly unless the check is > performed and passes. > Create a set of one-off methods (dummys that just pass through) that > you can dynamically use with each app instance; since you > are in control of the download (unlike Market publishers), you can > dynamically build and package a unique app for each instance > downloaded. > This way no two apps use the same method and a hacker is up a creek as > far a patching the code > and replicating it to the community. When one instance is cracked, and > it will be, then your server can cancel that hacked instance > without effecting all of the other valid users. This will create a > string disincentive, because no two app are the same, codewise ;-) > > Maybe we should start a service and offer Android publishers a secure > distribution service, unlike the Market. > There is no way to register (stamp an app with a phone id) downloads > from the Market prior to installation. > As it stands now publishers have no way to verify if their app was > downloaded from the Market or copied and installed by other means. > > If there is I would like to know. I've asked but I never get replies > regarding this advanced topic. Most publishers are still learning to > just create apps, let alone seek out secure distribution and customer > behavior--only Google enjoys this privilege, currently. > > Here's a method snippet for getting the unique ID and hashing it: > > String getPhoneID(){ > MessageDigest digest; > try { > digest = MessageDigest.getInstance("SHA-1"); > } catch (NoSuchAlgorithmException e) { > throw new RuntimeException("this should never happen"); > } > > String srvcName = Context.TELEPHONY_SERVICE; > TelephonyManager telephonyManager = > (TelephonyManager)getSystemService(srvcName); > > /* requires READ_PHONE_STATE permission */ > String deviceId = telephonyManager.getDeviceId(); > if (TextUtils.isEmpty(deviceId)) { > return ""; > } > > byte[] hashedDeviceId = digest.digest(deviceId.getBytes()); > String id = new String(Base64.encodeBase64(hashedDeviceId), 0, > 12); > id = id.replaceAll("/", "_"); > return id; > > } > > On Nov 14, 7:12 am, jax <[email protected]> wrote: > > > > > I am wondering how I might go about securing a paid app on Android. > > > I am thinking of selling the application from my own website via > > PayPal, however, how will I stop people from sharing it with their > > friends etc. Does Android have any type of native support for this?- Hide > > quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
