You've pretty much got the major parts down. We validate with Google market servers using a hand-rolled and highly-efficient implementation of Google's binary protobuf protocol. Once the hard part (validation of purchase) is done, a unique key that is tied to user, phone, and app is generated, which is valid for a bit more than 24 hours. After that 24 hour period, purchase validation is done again, and then a "permanent" key is generated that doesn't require communication with the server again for that installation of the app on that phone.
If the user changes phones, the same process will repeat. Successful licensing requires visibility of the app from the device on Android market, given the device id, build number and other criteria. AAL makes efforts to never send a request to the server more than once every 30 seconds. Failure policy is up to the developer. I suggest at this point using a "nag" policy, which won't lock the user out, but forces them to stare at a "buy my app" invitation for some configurable period of time. As with all of my software however, things like this are configurable. There are also other features that I'm not going to cover here that make an attempt detect cracking, and disable the app at some random time in the future if it is detected. I'm going to be iterating on this stuff over the next few weeks as the evil-doers take swings at AAL. Hope that helps! I'm going to be scrambling to write docs this weekend. At this point there seems to be lots of interest, but little willingness to bundle in apps. I suppose I understand that given the newness and the lack of detailed information. Dave On May 6, 2:22 am, Edward Falk <[email protected]> wrote: > Intriguing. I was wondering if maybe you could add a blurb to your > web site explaining in simple terms how it works. E.g. "when the API > is called, it communicates with the Android Market to verify your key; > once verified, the verification code is remembered so that no further > calls to the market are needed." Or perhaps instead of "Android > Market", it's "our servers". Or whatever. How *does* it work? > > And if it's your servers (or even the Android Market), what happens to > users when the servers go down? This is the biggest problem with any > kind of server-based DRM. Do they lose their apps? Is there an > alternative recovery plan? > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group > athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
