[android-developers] Extending or replacing existing Android Appa
I copied the Launcher source code from the master (Git) Android source and created an Eclipse Android 1.6 project using existing code. Several Java problems exist relating to fields that can not be resolved. For example: Workspace.java and several other classes have "mScrollX cannot be resolved" problems. mScrollX is a field in the View class and Workspace extends ViewGroup, which extends View. Also, the View class is imported. Question 1: Why is this not resolved? Upon examining the contents of the SDK 1.6 android.jar, I see the implementation of View in the android.jar is nothing like the master Git Android source code for View. All of the View methods in the SDK 1.6 version of View only contain a "throw new RuntimeException ( "Stub!" )" statement. Question 2: What's happening here? Question 3: How do I pull app source code from the master Git and pull it into Eclipse to either extend it, refactor it, of derive a new app from it? Thanks. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
Using the unique ID (hash) of the phone, register it with your web service on install. Then employ PKI to authenticate your app on each launch. On your web service sign a string containing the hash, timestamp, and a short expiration timestamp. Then have your app use your public key (in the app) to authenticate the string, verify the timestamps, and complete the launch if valid, otherwise abort the launch or offer the user to come clean and install. To prevent code modification--bypassing the check--don't include all of the code in the app. Keep some of it on the server and only send it to the app if the check takes place and passes the check. This way the app will not function correctly unless the check is performed and passes. Create a set of one-off methods (dummys that just pass through) that you can dynamically use with each app instance; since you are in control of the download (unlike Market publishers), you can dynamically build and package a unique app for each instance downloaded. This way no two apps use the same method and a hacker is up a creek as far a patching the code and replicating it to the community. When one instance is cracked, and it will be, then your server can cancel that hacked instance without effecting all of the other valid users. This will create a string disincentive, because no two app are the same, codewise ;-) Maybe we should start a service and offer Android publishers a secure distribution service, unlike the Market. There is no way to register (stamp an app with a phone id) downloads from the Market prior to installation. As it stands now publishers have no way to verify if their app was downloaded from the Market or copied and installed by other means. If there is I would like to know. I've asked but I never get replies regarding this advanced topic. Most publishers are still learning to just create apps, let alone seek out secure distribution and customer behavior--only Google enjoys this privilege, currently. Here's a method snippet for getting the unique ID and hashing it: String getPhoneID(){ MessageDigest digest; try { digest = MessageDigest.getInstance("SHA-1"); } catch (NoSuchAlgorithmException e) { throw new RuntimeException("this should never happen"); } String srvcName = Context.TELEPHONY_SERVICE; TelephonyManager telephonyManager = (TelephonyManager)getSystemService(srvcName); /* requires READ_PHONE_STATE permission */ String deviceId = telephonyManager.getDeviceId(); if (TextUtils.isEmpty(deviceId)) { return ""; } byte[] hashedDeviceId = digest.digest(deviceId.getBytes()); String id = new String(Base64.encodeBase64(hashedDeviceId), 0, 12); id = id.replaceAll("/", "_"); return id; } On Nov 14, 7:12 am, jax wrote: > I am wondering how I might go about securing a paid app on Android. > > I am thinking of selling the application from my own website via > PayPal, however, how will I stop people from sharing it with their > friends etc. Does Android have any type of native support for this? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] SDK contents re: com.android.vending
Where is the source tree for the package: com.android.vending...? Also, is there a link explaining why this is not in the public source tree available via Git? Is it, only because of the dev phones? Doesn't stop rooted phones or eventual reversing. If it is not available to developers, but only phone manufacturers, why is it in the open source package com.android and not in com.google.android instead, because it is not open source? Please correct me, if I’m misguided. Why I ask and my diatribe: I've installed the Android source code via Git and have successfully executed make. As a developer, I want to totally understand the vending code, the Market interface, and the client-side operation of the Market app. I want to understand the limitations and vulnerabilities surrounding app publishing and how to secure applications from being pirated (I may even want to create a new Market app.) Yea, I know it’s a pipe dream, but at least, I can try to limit pirating to only the most determined and brightest pirates. I need to find a way to automatically link a downloaded app to a phone, and possibly a customer. I want to be able to employ a callback design and auto-register an app upon download, creating a unique app instance per phone. If the app is pulled and installed into another phone then the app will not function correctly, because it is not on the correct phone. Possible? Sure it is. I just need to determine where the Market fits into this story and design for or around it. It would be nice if the Market had a callback feature for vendors to employ, so vendors could serialize there apps and generate a license key incorporating the phone's serial number. Problem is there is no way to stop a hacker from getting your app and cracking it. They don’t even need a phone to access the market, because the emulator can be engineered to access the market and download apps. And if not the emulator then a rooted phone can introspect and capture all I/O and traces of market interfacing too. This means vendors should use the market as a proxy to the real app and force the user to download missing code which requires the phones serial number to unlock the app, which has dynamically generated code embedded that only runs on that phone. There are several ways to accomplish this. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---