On Thu, Nov 17, 2011 at 7:50 PM, Ricardo Amaral <mas...@ricardoamaral.net> wrote: > I was thinking of implementing a coupon based system for my app so I could > offer some copies of the full version to some people. I found blog article > which provided the server code (to install on Google AppEngine) and the > client code to use on the app. I looked at the source code and realized the > way the system works (after the coupon has been validated and activated) is > with a simple a boolean variable with SharedPreferences. > > 1) My main question about this is, how safe is this? How easily is the > SharedPreferences file hackable on rooted devices to change that boolean > flag and "convert" an app to a full version even without a coupon code?
It's not safe. > I'm talking about coupons here but they don't really matter. I thought about > using SharedPreferences before to handle a similar situation (ie: boolean > variable to control if the app is the full version or not). So the question > is really about SharedPreferences and how safe are they to control the > free/paid version of an app based on a boolean flag. If they are not safe, > is there any other way? Use the account manager. Ask the user to create an account and save the boolean variable along with the account credentials. Be warned, however, that for security reasons apps installed on the SD card will have their accounts removed each time the SD card is unmounted/mounted (including power-switching the device). > 2) My second question and now related to the coupons system but we can look > at this as validating and activating an app through the Internet. The idea > is that I just want to activate the full version of my app to someone, > temporarily, some sort of a trial. > > The problem is the deactivating part. Let's say I disable the full version > for a specific device on the validation server. If the user doesn't open my > app while connected to the Internet, the app will always be on "full mode" > and there's nothing I can do about it. Or is there? This can be managed at the server side, revoking the user account. -- "The flames are all long gone, but the pain lingers on" -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
