[android-developers] Re: Securing a paid app
Do you guys think that asking user to enter Order number is going to be too much hustle? On Dec 6, 7:00 am, jax wrote: > Agreed, I don't want to get into any trouble. > > What about storing a hash of the ime. Then I am unable to identify > the actual ime that was used but I am still able validate. > > On Nov 23, 10:53 pm, "Fred Grott(Android > Expert,http://mobilebytes.wordpress.com)" > > wrote: > > I agree getting IMEI to store on a server not in telecoms control bad > > idea..both security wise and legally.. > > > Fred GrottAndroidDeveloper > > |http://mobilebytes.wordpess.com|http://twitter.com/sharemefg|http://www.linkedin.com/in/shareme| > > gtalk: fred.grott | skype: fred.grott | googlewave: > > fred.gr...@googlewave.com | > > gmail:fred.gr...@gmail.com > > > On Nov 23, 9:23 am, David Given wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > jax wrote: > > > > [...] > > > > > How would I go about generating the hash code? I am intending on > > > > using the ime. > > > > If you're in the UK and you want to keep track of customers' IMEIs, you > > > may need to get legal advice --- there's a good chance you'll be liable > > > under the Data Protection Act (as you're storing personally identifiable > > > information). > > > > - -- > > > ┌─── dg@cowlark.com ─http://www.cowlark.com─ > > > │ > > > │ "Sufficiently advanced incompetence is indistinguishable from > > > │ malice." -- Vernon Schryver > > > -BEGIN PGP SIGNATURE- > > > Version: GnuPG v1.4.9 (GNU/Linux) > > > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org > > > > iEYEARECAAYFAksKqO8ACgkQf9E0noFvlzjDQgCgrXFzamiu5EX6agg7NFI7OKiz > > > BUEAn1CMcFfWIro+V8E7RtbDMF3rPqLa > > > =KH5U > > > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
Agreed, I don't want to get into any trouble. What about storing a hash of the ime. Then I am unable to identify the actual ime that was used but I am still able validate. On Nov 23, 10:53 pm, "Fred Grott(Android Expert, http://mobilebytes.wordpress.com)" wrote: > I agree getting IMEI to store on a server not in telecoms control bad > idea..both security wise and legally.. > > Fred GrottAndroidDeveloper > |http://mobilebytes.wordpess.com|http://twitter.com/sharemefg|http://www.linkedin.com/in/shareme| > gtalk: fred.grott | skype: fred.grott | googlewave: > fred.gr...@googlewave.com | > gmail:fred.gr...@gmail.com > > On Nov 23, 9:23 am, David Given wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > jax wrote: > > > [...] > > > > How would I go about generating the hash code? I am intending on > > > using the ime. > > > If you're in the UK and you want to keep track of customers' IMEIs, you > > may need to get legal advice --- there's a good chance you'll be liable > > under the Data Protection Act (as you're storing personally identifiable > > information). > > > - -- > > ┌─── dg@cowlark.com ─http://www.cowlark.com─ > > │ > > │ "Sufficiently advanced incompetence is indistinguishable from > > │ malice." -- Vernon Schryver > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.9 (GNU/Linux) > > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org > > > iEYEARECAAYFAksKqO8ACgkQf9E0noFvlzjDQgCgrXFzamiu5EX6agg7NFI7OKiz > > BUEAn1CMcFfWIro+V8E7RtbDMF3rPqLa > > =KH5U > > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
I agree getting IMEI to store on a server not in telecoms control bad idea..both security wise and legally.. Fred Grott Android Developer | http://mobilebytes.wordpess.com | http://twitter.com/sharemefg | http://www.linkedin.com/in/shareme | gtalk: fred.grott | skype: fred.grott | googlewave: fred.gr...@googlewave.com | gmail:fred.gr...@gmail.com On Nov 23, 9:23 am, David Given wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > jax wrote: > > [...] > > > How would I go about generating the hash code? I am intending on > > using the ime. > > If you're in the UK and you want to keep track of customers' IMEIs, you > may need to get legal advice --- there's a good chance you'll be liable > under the Data Protection Act (as you're storing personally identifiable > information). > > - -- > ┌─── dg@cowlark.com ─http://www.cowlark.com─ > │ > │ "Sufficiently advanced incompetence is indistinguishable from > │ malice." -- Vernon Schryver > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org > > iEYEARECAAYFAksKqO8ACgkQf9E0noFvlzjDQgCgrXFzamiu5EX6agg7NFI7OKiz > BUEAn1CMcFfWIro+V8E7RtbDMF3rPqLa > =KH5U > -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: Securing a paid app
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 jax wrote: [...] > How would I go about generating the hash code? I am intending on > using the ime. If you're in the UK and you want to keep track of customers' IMEIs, you may need to get legal advice --- there's a good chance you'll be liable under the Data Protection Act (as you're storing personally identifiable information). - -- ┌─── dg@cowlark.com ─ http://www.cowlark.com ─ │ │ "Sufficiently advanced incompetence is indistinguishable from │ malice." -- Vernon Schryver -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksKqO8ACgkQf9E0noFvlzjDQgCgrXFzamiu5EX6agg7NFI7OKiz BUEAn1CMcFfWIro+V8E7RtbDMF3rPqLa =KH5U -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
How do you get hold of the users google account from your app?
On Nov 17, 10:03 pm, Streets Of Boston
wrote:
> What would happen if someone gets a new android phone? The app's
> authentication will fail.
>
> You should hash/key on the user's google-account, the same key that is
> used by Android Market (you can download paid apps as often as you
> want - once you paid for them - based on your google-account)
>
> On Nov 15, 2:32 am, android kracker wrote:
>
> > Using the unique ID (hash) of the phone, register it with your web
> > service on install.
> > Then employ PKI to authenticate your app on each launch.
> > On your web service sign a string containing the hash, timestamp, and
> > a short expiration timestamp.
> > Then have your app use your public key (in the app) to authenticate
> > the string, verify the timestamps, and complete
> > the launch if valid, otherwise abort the launch or offer the user to
> > come clean and install.
> > To prevent code modification--bypassing the check--don't include all
> > of the code in the app.
> > Keep some of it on the server and only send it to the app if the check
> > takes place and passes the check.
> > This way the app will not function correctly unless the check is
> > performed and passes.
> > Create a set of one-off methods (dummys that just pass through) that
> > you can dynamically use with each app instance; since you
> > are in control of the download (unlike Market publishers), you can
> > dynamically build and package a unique app for each instance
> > downloaded.
> > This way no two apps use the same method and a hacker is up a creek as
> > far a patching the code
> > and replicating it to the community. When one instance is cracked, and
> > it will be, then your server can cancel that hacked instance
> > without effecting all of the other valid users. This will create a
> > string disincentive, because no two app are the same, codewise ;-)
>
> > Maybe we should start a service and offer Android publishers a secure
> > distribution service, unlike the Market.
> > There is no way to register (stamp an app with a phone id) downloads
> > from the Market prior to installation.
> > As it stands now publishers have no way to verify if their app was
> > downloaded from the Market or copied and installed by other means.
>
> > If there is I would like to know. I've asked but I never get replies
> > regarding this advanced topic. Most publishers are still learning to
> > just create apps, let alone seek out secure distribution and customer
> > behavior--only Google enjoys this privilege, currently.
>
> > Here's a method snippet for getting the unique ID and hashing it:
>
> > String getPhoneID(){
> > MessageDigest digest;
> > try {
> > digest = MessageDigest.getInstance("SHA-1");
> > } catch (NoSuchAlgorithmException e) {
> > throw new RuntimeException("this should never happen");
> > }
>
> > String srvcName = Context.TELEPHONY_SERVICE;
> > TelephonyManager telephonyManager =
> > (TelephonyManager)getSystemService(srvcName);
>
> > /* requires READ_PHONE_STATE permission */
> > String deviceId = telephonyManager.getDeviceId();
> > if (TextUtils.isEmpty(deviceId)) {
> > return "";
> > }
>
> > byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
> > String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
> > 12);
> > id = id.replaceAll("/", "_");
> > return id;
>
> > }
>
> > On Nov 14, 7:12 am,jax wrote:
>
> > > I am wondering how I might go aboutsecuringa paid app on Android.
>
> > > I am thinking of selling the application from my own website via
> > > PayPal, however, how will I stop people from sharing it with their
> > > friends etc. Does Android have any type of native support for this?-
> > > Hide quoted text -
>
> > - Show quoted text -
>
>
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
I am still trying to get my head around this. How would I go about generating the hash code? I am intending on using the ime. Do I need public private keys? confused... On Nov 15, 3:39 am, Pooper wrote: > What you can do is make your user enter serial #, the serial number > could > be a hashing function that you come up with that takes the device id > (could be the imei number) > the application could then check if the serial/hash code matches for > that device. This would > require your customer to send you his/her imei # or another unique # > associated with the device so that > you can generate the serial code for that device. > > You can also implement a two step method so that the customer can't > accidently enter in their imei incorrectly by misstake. > > To do it this way you would generate a "Request For Serial Number > Code" store this code in your database. The costomer > enters this code in their phone, your phone connects to your web > server sends the "Request for Serial number code" and the > IMEI number of the phone with it. Your server generates the hash/ > serial and sends it back to the phone. You can then mark > the "Request for serial number code" as used so that they can not use > it for another device. This is the method I use for my > applications. > > On Nov 14, 8:39 am,jax wrote: > > > Yes, that is why I have posted the question because I don't know how > > to do it. > > > Has anyone done this before or know of a method for achieving this? > > > On Nov 14, 10:23 pm, Andrei wrote: > > > > What u want to do is to tie your app to one device > > > How u do it up to u > > > > On Nov 14, 7:12 am,jax wrote: > > > > > I am wondering how I might go aboutsecuringa paid app on Android. > > > > > I am thinking of selling the application from my own website via > > > > PayPal, however, how will I stop people from sharing it with their > > > > friends etc. Does Android have any type of native support for this?- > > > > Hide quoted text - > > > - Show quoted text - > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
By reducing the number of pirated copies, you are not necessarily increasing your paid copies. I'd rather see it go from 4:1 to 4:4 or even 4:1 to 1:4. Just saying... :) I'm going to go do some developing now. :) On Nov 17, 10:20 am, "admin.androidsl...@googlemail.com" wrote: > No anti-piracy system is perfect. Thats why I said 100% protection was > unachievable. > > What I am saying is we need some way to get over the hump of 0% > protection. Even if we just had a shared system where we had the level > of protection of apps, e.g. MyBackup and CoPilot currently have, then > at least we are moving in the right direction. > > There's a lot of posts on this subject because its something that > bothers a lot of application developers. If you're happy to find your > app every day on rapidshare, thats your decision, but if a big enough > group of us want to do pool our resources to reduce piracy, then thats > our decision too. > > Current estimated ratio is 4 pirated copies to 1 purchased copy. If we > could reduce this to even 3:1 or 2:1, that would be a very worthwhile > investment of everyone's time. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
You know the piracy rate of MyBackup and CoPilot are probably much higher than 4:1 right? I'm not sure where your get your statistics from, but while you notice apk files are easy to fine - amoung the easier are those exact apps that you think have a good level of security. The point is they have *good* applications people are willing to pay for, and a "level" of protection, yet people *still* can get there applications just as easily as yours. -Tim Strazzere On Nov 17, 12:20 pm, "admin.androidsl...@googlemail.com" wrote: > No anti-piracy system is perfect. Thats why I said 100% protection was > unachievable. > > What I am saying is we need some way to get over the hump of 0% > protection. Even if we just had a shared system where we had the level > of protection of apps, e.g. MyBackup and CoPilot currently have, then > at least we are moving in the right direction. > > There's a lot of posts on this subject because its something that > bothers a lot of application developers. If you're happy to find your > app every day on rapidshare, thats your decision, but if a big enough > group of us want to do pool our resources to reduce piracy, then thats > our decision too. > > Current estimated ratio is 4 pirated copies to 1 purchased copy. If we > could reduce this to even 3:1 or 2:1, that would be a very worthwhile > investment of everyone's time. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
No anti-piracy system is perfect. Thats why I said 100% protection was unachievable. What I am saying is we need some way to get over the hump of 0% protection. Even if we just had a shared system where we had the level of protection of apps, e.g. MyBackup and CoPilot currently have, then at least we are moving in the right direction. There's a lot of posts on this subject because its something that bothers a lot of application developers. If you're happy to find your app every day on rapidshare, thats your decision, but if a big enough group of us want to do pool our resources to reduce piracy, then thats our decision too. Current estimated ratio is 4 pirated copies to 1 purchased copy. If we could reduce this to even 3:1 or 2:1, that would be a very worthwhile investment of everyone's time. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
If your looking at it from this perspective, then maybe you shouldn't continue developing? Unless your developing a program that is SaaS where data is kept primarily on a server, your /not/ going to keep your program from being pirated. I don't agree with people who are pirating apps, but I also don't believe people who have pirate most of their application would be buying them if there was some magical protection available. The applications I had published have been pirated countless times, I actually find no reviews for my applications, just hotlinks to rapidshare and mediafire. Though that hasn't stopped me from getting my money worth from the applications. Honestly with the stuff your posting and the amount of protection your wanting - I feel you need to just not release your applications. Have people come directly to you, purchase a tailor-made applications with a million identifiers for who bought it and give it to them. Then when it leaks out you know who to blame. Or, proceed like ever other developer so far, release it, make money, "lose" money and figure out there are always kids who won't pay a dime for things... Cause it's "cool" to do it. Besides, the tougher you make your protection (no matter how worthless or cheap the app is) the more interesting your making it for a reverse engineering to pull it apart. On Nov 17, 10:35 am, "admin.androidsl...@googlemail.com" wrote: > Disagree. The problem with Android Market is that it doesn't even > attempt to solve the piracy issue. I agree that 100% protection is > impossible but devs right now have 0% protection. > > Don't believe me? Search for any popular Android app on google - you > will find as many links to pirated apk's for that app as you will find > genuine review / discussion / marketing links etc. So an average phone > user will find cracked copies if that's the road they want to go down. > > Of course devs would rather be writing new features but with reports > of 4 pirated copies to 1 legitimate copy turning out to be true, this > does dampen one's enthusiasm to write updates just to give them out > straight away to the freeloading pirates. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
Disagree. The problem with Android Market is that it doesn't even attempt to solve the piracy issue. I agree that 100% protection is impossible but devs right now have 0% protection. Don't believe me? Search for any popular Android app on google - you will find as many links to pirated apk's for that app as you will find genuine review / discussion / marketing links etc. So an average phone user will find cracked copies if that's the road they want to go down. Of course devs would rather be writing new features but with reports of 4 pirated copies to 1 legitimate copy turning out to be true, this does dampen one's enthusiasm to write updates just to give them out straight away to the freeloading pirates. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
I've sure seen a lot of posts lately about piracy and protection, and
really IMO I think the anxiety about this is a little too high at the
moment.
The fact is no matter what you do, you will have piracy. If you spend
all of your time fretting about it you are never going to get
anywhere. Also, as an experienced end user, I find it annoying when a
program interrogates me for information of some sort, or if it locks
itself to one device, mainly because of unforseen circumstances moving
forward. There will always be a customer who ends up screwed because
of the protection!
In my opinion it's better to spend your time providing useful features
to customers, and making an app that is fun and easy to use. If you
focus on this you will still get enough customers to give a decent
income off the app.
Especially in the mobile market when really I don't think your average
phone user knows how to get and install a "cracked" app anyway.
Experienced users may, but you won't necessarily disable their ability
to do so even with protection.
Really all software protection does is hurt the valid customers more
than anything.
Now, can we perhaps take time to actually contribute useful ideas and/
or code to the forums for a change? All I see lately is complaining in
one form or another. This has to be to most negative board I've ever
read...it really bums me out to read anything here lately! It's
killing my enthusiasm! C'mon devs lets get happy for a
change!!
-niko
On Nov 17, 9:03 am, Streets Of Boston wrote:
> What would happen if someone gets a new android phone? The app's
> authentication will fail.
>
> You should hash/key on the user's google-account, the same key that is
> used by Android Market (you can download paid apps as often as you
> want - once you paid for them - based on your google-account)
>
> On Nov 15, 2:32 am, android kracker wrote:
>
>
>
> > Using the unique ID (hash) of the phone, register it with your web
> > service on install.
> > Then employ PKI to authenticate your app on each launch.
> > On your web service sign a string containing the hash, timestamp, and
> > a short expiration timestamp.
> > Then have your app use your public key (in the app) to authenticate
> > the string, verify the timestamps, and complete
> > the launch if valid, otherwise abort the launch or offer the user to
> > come clean and install.
> > To prevent code modification--bypassing the check--don't include all
> > of the code in the app.
> > Keep some of it on the server and only send it to the app if the check
> > takes place and passes the check.
> > This way the app will not function correctly unless the check is
> > performed and passes.
> > Create a set of one-off methods (dummys that just pass through) that
> > you can dynamically use with each app instance; since you
> > are in control of the download (unlike Market publishers), you can
> > dynamically build and package a unique app for each instance
> > downloaded.
> > This way no two apps use the same method and a hacker is up a creek as
> > far a patching the code
> > and replicating it to the community. When one instance is cracked, and
> > it will be, then your server can cancel that hacked instance
> > without effecting all of the other valid users. This will create a
> > string disincentive, because no two app are the same, codewise ;-)
>
> > Maybe we should start a service and offer Android publishers a secure
> > distribution service, unlike the Market.
> > There is no way to register (stamp an app with a phone id) downloads
> > from the Market prior to installation.
> > As it stands now publishers have no way to verify if their app was
> > downloaded from the Market or copied and installed by other means.
>
> > If there is I would like to know. I've asked but I never get replies
> > regarding this advanced topic. Most publishers are still learning to
> > just create apps, let alone seek out secure distribution and customer
> > behavior--only Google enjoys this privilege, currently.
>
> > Here's a method snippet for getting the unique ID and hashing it:
>
> > String getPhoneID(){
> > MessageDigest digest;
> > try {
> > digest = MessageDigest.getInstance("SHA-1");
> > } catch (NoSuchAlgorithmException e) {
> > throw new RuntimeException("this should never happen");
> > }
>
> > String srvcName = Context.TELEPHONY_SERVICE;
> > TelephonyManager telephonyManager =
> > (TelephonyManager)getSystemService(srvcName);
>
> > /* requires READ_PHONE_STATE permission */
> > String deviceId = telephonyManager.getDeviceId();
> > if (TextUtils.isEmpty(deviceId)) {
> > return "";
> > }
>
> > byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
> > String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
> > 12);
> > id = id.replaceAll("/", "_");
> > return id;
>
> > }
>
> > On Nov 14, 7:12 am,
[android-developers] Re: Securing a paid app
What would happen if someone gets a new android phone? The app's
authentication will fail.
You should hash/key on the user's google-account, the same key that is
used by Android Market (you can download paid apps as often as you
want - once you paid for them - based on your google-account)
On Nov 15, 2:32 am, android kracker wrote:
> Using the unique ID (hash) of the phone, register it with your web
> service on install.
> Then employ PKI to authenticate your app on each launch.
> On your web service sign a string containing the hash, timestamp, and
> a short expiration timestamp.
> Then have your app use your public key (in the app) to authenticate
> the string, verify the timestamps, and complete
> the launch if valid, otherwise abort the launch or offer the user to
> come clean and install.
> To prevent code modification--bypassing the check--don't include all
> of the code in the app.
> Keep some of it on the server and only send it to the app if the check
> takes place and passes the check.
> This way the app will not function correctly unless the check is
> performed and passes.
> Create a set of one-off methods (dummys that just pass through) that
> you can dynamically use with each app instance; since you
> are in control of the download (unlike Market publishers), you can
> dynamically build and package a unique app for each instance
> downloaded.
> This way no two apps use the same method and a hacker is up a creek as
> far a patching the code
> and replicating it to the community. When one instance is cracked, and
> it will be, then your server can cancel that hacked instance
> without effecting all of the other valid users. This will create a
> string disincentive, because no two app are the same, codewise ;-)
>
> Maybe we should start a service and offer Android publishers a secure
> distribution service, unlike the Market.
> There is no way to register (stamp an app with a phone id) downloads
> from the Market prior to installation.
> As it stands now publishers have no way to verify if their app was
> downloaded from the Market or copied and installed by other means.
>
> If there is I would like to know. I've asked but I never get replies
> regarding this advanced topic. Most publishers are still learning to
> just create apps, let alone seek out secure distribution and customer
> behavior--only Google enjoys this privilege, currently.
>
> Here's a method snippet for getting the unique ID and hashing it:
>
> String getPhoneID(){
> MessageDigest digest;
> try {
> digest = MessageDigest.getInstance("SHA-1");
> } catch (NoSuchAlgorithmException e) {
> throw new RuntimeException("this should never happen");
> }
>
> String srvcName = Context.TELEPHONY_SERVICE;
> TelephonyManager telephonyManager =
> (TelephonyManager)getSystemService(srvcName);
>
> /* requires READ_PHONE_STATE permission */
> String deviceId = telephonyManager.getDeviceId();
> if (TextUtils.isEmpty(deviceId)) {
> return "";
> }
>
> byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
> String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
> 12);
> id = id.replaceAll("/", "_");
> return id;
>
> }
>
> On Nov 14, 7:12 am, jax wrote:
>
>
>
> > I am wondering how I might go about securing a paid app on Android.
>
> > I am thinking of selling the application from my own website via
> > PayPal, however, how will I stop people from sharing it with their
> > friends etc. Does Android have any type of native support for this?- Hide
> > quoted text -
>
> - Show quoted text -
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
Unless I missed it above, no one has published a method to check whether an app was downloaded and not refunded by Google Checkout. Without this check, none of the above code will be of any value. Google please provide us with something we can use - devs work hard to improve the platform. Pirates only purpose is to get something for free with no regard to the work that went into it. They are making small startup Android businesses non-viable and hence quality products will diminish. Remember a pirate's motto is 'if you enjoyed using the app, please consider buying the full version to support the dev'. Yeah right!! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
We (AndAppStore) already have a system available which you can find details of at http://andappstore.com/AndroidApplications/licensing.jsp It's not tied to our purchasing system, so you can use it to generate licenses from your own site if you wish. We always welcome feedback so if you have any comments on it then feel free to drop me an email. Al. - * Looking for Android Apps? - Try http://andappstore.com/ * == Funky Android Limited is registered in England & Wales with the company number 6741909. The views expressed in this email are those of the author and not necessarily those of Funky Android Limited, it's associates, or it's subsidiaries. On Nov 14, 8:39 pm, Pooper wrote: > What you can do is make your user enter serial #, the serial number > could > be a hashing function that you come up with that takes the device id > (could be the imei number) > the application could then check if the serial/hash code matches for > that device. This would > require your customer to send you his/her imei # or another unique # > associated with the device so that > you can generate the serial code for that device. > > You can also implement a two step method so that the customer can't > accidently enter in their imei incorrectly by misstake. > > To do it this way you would generate a "Request For Serial Number > Code" store this code in your database. The costomer > enters this code in their phone, your phone connects to your web > server sends the "Request for Serial number code" and the > IMEI number of the phone with it. Your server generates the hash/ > serial and sends it back to the phone. You can then mark > the "Request for serial number code" as used so that they can not use > it for another device. This is the method I use for my > applications. > > On Nov 14, 8:39 am, jax wrote: > > > > > Yes, that is why I have posted the question because I don't know how > > to do it. > > > Has anyone done this before or know of a method for achieving this? > > > On Nov 14, 10:23 pm, Andrei wrote: > > > > What u want to do is to tie your app to one device > > > How u do it up to u > > > > On Nov 14, 7:12 am, jax wrote: > > > > > I am wondering how I might go about securing a paid app on Android. > > > > > I am thinking of selling the application from my own website via > > > > PayPal, however, how will I stop people from sharing it with their > > > > friends etc. Does Android have any type of native support for this?- > > > > Hide quoted text - > > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
Using the unique ID (hash) of the phone, register it with your web
service on install.
Then employ PKI to authenticate your app on each launch.
On your web service sign a string containing the hash, timestamp, and
a short expiration timestamp.
Then have your app use your public key (in the app) to authenticate
the string, verify the timestamps, and complete
the launch if valid, otherwise abort the launch or offer the user to
come clean and install.
To prevent code modification--bypassing the check--don't include all
of the code in the app.
Keep some of it on the server and only send it to the app if the check
takes place and passes the check.
This way the app will not function correctly unless the check is
performed and passes.
Create a set of one-off methods (dummys that just pass through) that
you can dynamically use with each app instance; since you
are in control of the download (unlike Market publishers), you can
dynamically build and package a unique app for each instance
downloaded.
This way no two apps use the same method and a hacker is up a creek as
far a patching the code
and replicating it to the community. When one instance is cracked, and
it will be, then your server can cancel that hacked instance
without effecting all of the other valid users. This will create a
string disincentive, because no two app are the same, codewise ;-)
Maybe we should start a service and offer Android publishers a secure
distribution service, unlike the Market.
There is no way to register (stamp an app with a phone id) downloads
from the Market prior to installation.
As it stands now publishers have no way to verify if their app was
downloaded from the Market or copied and installed by other means.
If there is I would like to know. I've asked but I never get replies
regarding this advanced topic. Most publishers are still learning to
just create apps, let alone seek out secure distribution and customer
behavior--only Google enjoys this privilege, currently.
Here's a method snippet for getting the unique ID and hashing it:
String getPhoneID(){
MessageDigest digest;
try {
digest = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("this should never happen");
}
String srvcName = Context.TELEPHONY_SERVICE;
TelephonyManager telephonyManager =
(TelephonyManager)getSystemService(srvcName);
/* requires READ_PHONE_STATE permission */
String deviceId = telephonyManager.getDeviceId();
if (TextUtils.isEmpty(deviceId)) {
return "";
}
byte[] hashedDeviceId = digest.digest(deviceId.getBytes());
String id = new String(Base64.encodeBase64(hashedDeviceId), 0,
12);
id = id.replaceAll("/", "_");
return id;
}
On Nov 14, 7:12 am, jax wrote:
> I am wondering how I might go about securing a paid app on Android.
>
> I am thinking of selling the application from my own website via
> PayPal, however, how will I stop people from sharing it with their
> friends etc. Does Android have any type of native support for this?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
What you can do is make your user enter serial #, the serial number could be a hashing function that you come up with that takes the device id (could be the imei number) the application could then check if the serial/hash code matches for that device. This would require your customer to send you his/her imei # or another unique # associated with the device so that you can generate the serial code for that device. You can also implement a two step method so that the customer can't accidently enter in their imei incorrectly by misstake. To do it this way you would generate a "Request For Serial Number Code" store this code in your database. The costomer enters this code in their phone, your phone connects to your web server sends the "Request for Serial number code" and the IMEI number of the phone with it. Your server generates the hash/ serial and sends it back to the phone. You can then mark the "Request for serial number code" as used so that they can not use it for another device. This is the method I use for my applications. On Nov 14, 8:39 am, jax wrote: > Yes, that is why I have posted the question because I don't know how > to do it. > > Has anyone done this before or know of a method for achieving this? > > On Nov 14, 10:23 pm, Andrei wrote: > > > > > What u want to do is to tie your app to one device > > How u do it up to u > > > On Nov 14, 7:12 am, jax wrote: > > > > I am wondering how I might go about securing a paid app on Android. > > > > I am thinking of selling the application from my own website via > > > PayPal, however, how will I stop people from sharing it with their > > > friends etc. Does Android have any type of native support for this?- > > > Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
TelephonyManager telManager = (TelephonyManager) context.getSystemService(Context.TELEPHONY_SERVICE); telManager.getDeviceId() will give you the device ID (IMEI for cell phones). This is how you can tie your application to the device. The rest (license generation, your program <-> server communication is up to you). We already have developed security system exactly as you ask. Feel free to contact me via e-mail for more details. On Nov 14, 2:12 pm, jax wrote: > I am wondering how I might go about securing a paid app on Android. > > I am thinking of selling the application from my own website via > PayPal, however, how will I stop people from sharing it with their > friends etc. Does Android have any type of native support for this? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
Yes, that is why I have posted the question because I don't know how to do it. Has anyone done this before or know of a method for achieving this? On Nov 14, 10:23 pm, Andrei wrote: > What u want to do is to tie your app to one device > How u do it up to u > > On Nov 14, 7:12 am, jax wrote: > > > I am wondering how I might go about securing a paid app on Android. > > > I am thinking of selling the application from my own website via > > PayPal, however, how will I stop people from sharing it with their > > friends etc. Does Android have any type of native support for this? > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Securing a paid app
What u want to do is to tie your app to one device How u do it up to u On Nov 14, 7:12 am, jax wrote: > I am wondering how I might go about securing a paid app on Android. > > I am thinking of selling the application from my own website via > PayPal, however, how will I stop people from sharing it with their > friends etc. Does Android have any type of native support for this? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
