[android-developers] Re: Securing a paid app
What would happen if someone gets a new android phone? The app's
authentication will fail.
You should hash/key on the user's google-account, the same key that is
used by Android Market (you can download paid apps as often as you
want - once you paid for them - based on your google-account)
On Nov 15, 2:32 am, android kracker <markamorris2...@gmail.com> wrote:
> Using the unique ID (hash) of the phone, register it with your web
> service on install.
> Then employ PKI to authenticate your app on each launch.
> On your web service sign a string containing the hash, timestamp, and
> a short expiration timestamp.
> Then have your app use your public key (in the app) to authenticate
> the string, verify the timestamps, and complete
> the launch if valid, otherwise abort the launch or offer the user to
> come clean and install.
> To prevent code modification--bypassing the check--don't include all
> of the code in the app.
> Keep some of it on the server and only send it to the app if the check
> takes place and passes the check.
> This way the app will not function correctly unless the check is
> performed and passes.
> Create a set of one-off methods (dummys that just pass through) that
> you can dynamically use with each app instance; since you
> are in control of the download (unlike Market publishers), you can
> dynamically build and package a unique app for each instance
> downloaded.
> This way no two apps use the same method and a hacker is up a creek as
> far a patching the code
> and replicating it to the community. When one instance is cracked, and
> it will be, then your server can cancel that hacked instance
> without effecting all of the other valid users. This will create a
> string disincentive, because no two app are the same, codewise ;-)
>
> Maybe we should start a service and offer Android publishers a secure
> distribution service, unlike the Market.
> There is no way to register (stamp an app with a phone id) downloads
> from the Market prior to installation.
> As it stands now publishers have no way to verify if their app was
> downloaded from the Market or copied and installed by other means.
>
> If there is I would like to know. I've asked but I never get replies
> regarding this advanced topic. Most publishers are still learning to
> just create apps, let alone seek out secure distribution and customer
> behavior--only Google enjoys this privilege, currently.
>
> Here's a method snippet for getting the unique ID and hashing it:
>
> String getPhoneID(){
> MessageDigest digest;
> try {
> digest = MessageDigest.getInstance("SHA-1");
> } catch (NoSuchAlgorithmException e) {
> throw new RuntimeException("this should never happen");
> }
>
> String srvcName = Context.TELEPHONY_SERVICE;
> TelephonyManager telephonyManager =
> (TelephonyManager)getSystemService(srvcName);
>
> /* requires READ_PHONE_STATE permission */
> String deviceId = telephonyManager.getDeviceId();
> if (TextUtils.isEmpty(deviceId)) {
> return "";
> }
>
> byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
> String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
> 12);
> id = id.replaceAll("/", "_");
> return id;
>
> }
>
> On Nov 14, 7:12 am, jax <jackma...@gmail.com> wrote:
>
>
>
> > I am wondering how I might go about securing a paid app on Android.
>
> > I am thinking of selling the application from my own website via
> > PayPal, however, how will I stop people from sharing it with their
> > friends etc. Does Android have any type of native support for this?- Hide quoted text -
>
> - Show quoted text -
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
posted by twitter @ 7:03 AM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home