I've sure seen a lot of posts lately about piracy and protection, and really IMO I think the anxiety about this is a little too high at the moment.
The fact is no matter what you do, you will have piracy. If you spend all of your time fretting about it you are never going to get anywhere. Also, as an experienced end user, I find it annoying when a program interrogates me for information of some sort, or if it locks itself to one device, mainly because of unforseen circumstances moving forward. There will always be a customer who ends up screwed because of the protection! In my opinion it's better to spend your time providing useful features to customers, and making an app that is fun and easy to use. If you focus on this you will still get enough customers to give a decent income off the app. Especially in the mobile market when really I don't think your average phone user knows how to get and install a "cracked" app anyway. Experienced users may, but you won't necessarily disable their ability to do so even with protection. Really all software protection does is hurt the valid customers more than anything. Now, can we perhaps take time to actually contribute useful ideas and/ or code to the forums for a change? All I see lately is complaining in one form or another. This has to be to most negative board I've ever read...it really bums me out to read anything here lately! It's killing my enthusiasm! C'mon devs lets get happy for a change!!!!!!!!!! -niko On Nov 17, 9:03 am, Streets Of Boston <[email protected]> wrote: > What would happen if someone gets a new android phone? The app's > authentication will fail. > > You should hash/key on the user's google-account, the same key that is > used by Android Market (you can download paid apps as often as you > want - once you paid for them - based on your google-account) > > On Nov 15, 2:32 am, android kracker <[email protected]> wrote: > > > > > Using the unique ID (hash) of the phone, register it with your web > > service on install. > > Then employ PKI to authenticate your app on each launch. > > On your web service sign a string containing the hash, timestamp, and > > a short expiration timestamp. > > Then have your app use your public key (in the app) to authenticate > > the string, verify the timestamps, and complete > > the launch if valid, otherwise abort the launch or offer the user to > > come clean and install. > > To prevent code modification--bypassing the check--don't include all > > of the code in the app. > > Keep some of it on the server and only send it to the app if the check > > takes place and passes the check. > > This way the app will not function correctly unless the check is > > performed and passes. > > Create a set of one-off methods (dummys that just pass through) that > > you can dynamically use with each app instance; since you > > are in control of the download (unlike Market publishers), you can > > dynamically build and package a unique app for each instance > > downloaded. > > This way no two apps use the same method and a hacker is up a creek as > > far a patching the code > > and replicating it to the community. When one instance is cracked, and > > it will be, then your server can cancel that hacked instance > > without effecting all of the other valid users. This will create a > > string disincentive, because no two app are the same, codewise ;-) > > > Maybe we should start a service and offer Android publishers a secure > > distribution service, unlike the Market. > > There is no way to register (stamp an app with a phone id) downloads > > from the Market prior to installation. > > As it stands now publishers have no way to verify if their app was > > downloaded from the Market or copied and installed by other means. > > > If there is I would like to know. I've asked but I never get replies > > regarding this advanced topic. Most publishers are still learning to > > just create apps, let alone seek out secure distribution and customer > > behavior--only Google enjoys this privilege, currently. > > > Here's a method snippet for getting the unique ID and hashing it: > > > String getPhoneID(){ > > MessageDigest digest; > > try { > > digest = MessageDigest.getInstance("SHA-1"); > > } catch (NoSuchAlgorithmException e) { > > throw new RuntimeException("this should never happen"); > > } > > > String srvcName = Context.TELEPHONY_SERVICE; > > TelephonyManager telephonyManager = > > (TelephonyManager)getSystemService(srvcName); > > > /* requires READ_PHONE_STATE permission */ > > String deviceId = telephonyManager.getDeviceId(); > > if (TextUtils.isEmpty(deviceId)) { > > return ""; > > } > > > byte[] hashedDeviceId = digest.digest(deviceId.getBytes()); > > String id = new String(Base64.encodeBase64(hashedDeviceId), 0, > > 12); > > id = id.replaceAll("/", "_"); > > return id; > > > } > > > On Nov 14, 7:12 am, jax <[email protected]> wrote: > > > > I am wondering how I might go about securing a paid app on Android. > > > > I am thinking of selling the application from my own website via > > > PayPal, however, how will I stop people from sharing it with their > > > friends etc. Does Android have any type of native support for this?- > > > Hide quoted text - > > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
