Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
On Wednesday, November 23, 2011 6:26:09 PM UTC, Mark Murphy (a Commons Guy) wrote: On Wed, Nov 23, 2011 at 12:51 PM, Ricardo Amaral mas...@ricardoamaral.net wrote: I'm a little confused... If SharedPreferences are not safe for this, how are apps handling validation if they don't use online validation? I'm sure there are a couple who don't use online validation but have some sort of validation and they probably use SharedPreferences to control the app validation. How come they use it if it's not safe at all? Because it is good enough to stop casual piracy. Little will stop a serious pirate. This is not significantly different than for any other popular platform in the history of computers -- the only platforms with no piracy are the platforms nobody uses. Online validation is something I really wanted to avoid. I know that most people have an internet connection always on, but when they don't, I really don't want to downgrade my app or prevent them from using it. I'm not very comfortable with such policy. That doesn't leave me with any other options does it? You could come up with a business model that does not depend upon defeating pirates. It was never my intention to come up with a business model that tries to defeat pirates. That's something I'm not worried about, I didn't even mentioned piracy in any of my posts. That's really not the issue. I'm just trying to understand how secure is SharedPreferences and what alternatives are there, that's all. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
Thanks. This is very basic, so if you decide to use it, you may want to improve/tweak it. At least you need to decide how you manage coupons: by device (how do you identify devices?), user (google account, email), etc. I haven't yet installed anything of that but one way would be to have a notes field for each coupon you create and then you identify each coupon the way you want it. By device, by user, whatever... Or you can just do that on a separate document and keep a list of coupon codes and to which user/device it corresponds to... But I liked your other idea , I'll investigate that one... -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
On Thu, Nov 24, 2011 at 8:51 PM, Ricardo Amaral mas...@ricardoamaral.net wrote: Thanks. This is very basic, so if you decide to use it, you may want to improve/tweak it. At least you need to decide how you manage coupons: by device (how do you identify devices?), user (google account, email), etc. I haven't yet installed anything of that but one way would be to have a notes field for each coupon you create and then you identify each coupon the way you want it. By device, by user, whatever... Or you can just do that on a separate document and keep a list of coupon codes and to which user/device it corresponds to... What I meant by 'manage' was the way you link coupons to users and/or devices. For example, do you allow 3 people to use the same coupon? Do you allow 1 person to use it on 3 different devices? What happens if I reset my phone, can I re-use your coupon (same user, same device, new installation)? etc. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
exactly. Rather than thinking about the technicalities first, approach the issue from the other side. What is your user population like? Average users that never change phones? Geeks that flash a new ROM every week? Silent majority versus vocal few trolls? Once you have decided how you want to serve your customers you can then design your verification process. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
I don't think those issues are really that relevant. For my situation at least. This is only to give out some free copies to some persons, not to use as a full validation system for every paying user... -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
On Thu, Nov 24, 2011 at 11:37 PM, Ricardo Amaral mas...@ricardoamaral.net wrote: I don't think those issues are really that relevant. For my situation at least. It's your app, so you should know best... But, This is only to give out some free copies to some persons, not to use as a full validation system for every paying user... If you are worried about shared preferences being insecure, you should probably be worried about one of those persons posting his coupon to a forum, etc. If you allow coupon sharing, everyone would be able to get the full version using that coupon. If you think the risk is small enough, it's OK to ignore this, but you should at least consider the possibility. It's a lot easier than rooting your phone and changing preferences manually. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
On Thursday, November 24, 2011 2:57:47 PM UTC, Nikolay Elenkov wrote: On Thu, Nov 24, 2011 at 11:37 PM, Ricardo Amaral mas...@ricardoamaral.net wrote: I don't think those issues are really that relevant. For my situation at least. It's your app, so you should know best... But, This is only to give out some free copies to some persons, not to use as a full validation system for every paying user... If you are worried about shared preferences being insecure, you should probably be worried about one of those persons posting his coupon to a forum, etc. If you allow coupon sharing, everyone would be able to get the full version using that coupon. If you think the risk is small enough, it's OK to ignore this, but you should at least consider the possibility. It's a lot easier than rooting your phone and changing preferences manually. That's why, and for other reasons of course, the cupon system I linked above allows you to disable a coupon. If someone does something like that, they simply broke my trust and I shall invalidate their coupon. Than, no one else can use the app with that coupon. Of course I'll need to wait for them to pen my app while connected to the Internet so I can invalidate the coupon (cause like I said, I don't want to force an Internet connection to run my app every time). -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
If what you want is to be able to give out free copies to some users, implement another unlocker, that is similar to the paid premium unlocker you're planning for Market, but is free. Encrypting preference data has nothing to do with LVL per se, and does not require that the app is paid or free. Whatever encryption / obfuscation you choose to go with, make sure to throw in some device-specific bits, so your data file with the activation state won't work if copied to another device. -- Kostya 24 ноября 2011 г. 22:52 пользователь Ricardo Amaral mas...@ricardoamaral.net написал: On Thursday, November 24, 2011 5:36:20 PM UTC, Kevin TeslaCoil Software wrote: I'm just trying to understand how secure is SharedPreferences and what alternatives are there, that's all. On a rooted device SharedPreferences absolutely can be tampered with. Same with any on-device storage. However this doesn't mean you can't use them. 1) Obfuscation. This is how Google recommends handling LVL data in shared prefs. This is not secure as someone could reverse engineer the obfuscator, but it makes it a pain in the ass and generally not worth it (easier to crack the APK itself). Check out the PreferenceObfuscator used for LVL: http://code.google.com/p/**marketlicensing/source/browse/** library/src/com/android/**vending/licensing/**PreferenceObfuscator.javahttp://code.google.com/p/marketlicensing/source/browse/library/src/com/android/vending/licensing/PreferenceObfuscator.java . It gives you stuff like this: string name=5h99XZgr +0i5N2SN0lEDu592x14RTrTj6/**VOCCnxGokeazVz9bfLW793kkXg01ka**BsJa1// string You can seed the obfuscator with a device id of some kind to prevent users from just copying shared prefs from one device to another. I haven't yet used the LVL but I'm thinking of using it for the paid version of my app. However, my paid app will be a unlocker app, nothing else and as you know, you can't use LVL on free apps. But it's the free app that will check for the paid app 2) Server signed data. When you authenticate your coupon, instead of saving a true or false, save a string from your server that is cryptographically signed. At the launch of the app you can verify this signature even without internet access. Again this is similar to the LVL approach. It might be too much work as crypto is very confusing. --- Along the lines of what others are saying, don't invest too much in anti-piracy stuff. Release and see what happens, if no one cracks it then don't waste any more time. If it's cracked, look at how they did it and block it in the next update. Keep adding features in updates will keep current and future legit users happy, and have the pirates always playing catch up to the latest version until they get sick of it and just buy it. -Kevin Again, this has nothing to do with piracy. Of course, I'll do a minimum effort to prevent it but that's it, I will never waste too much time trying to prevent piracy, that's a lost battle from the beginning. I simply want some sort of control where I can give out free copies to some people. I could just give them the .apk and be done with it. But I don't want to go down that road. I only came here asking about the SharedPreferences security. If a rooted user can simply pull the file, easily swap a boolean value from false to true and push the file back to the phone. Than, in my opinion, it's a pointless way of validating a license. That's all I wanted to know and all I asked :) -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
On Wed, Nov 23, 2011 at 12:51 PM, Ricardo Amaral mas...@ricardoamaral.net wrote: I'm a little confused... If SharedPreferences are not safe for this, how are apps handling validation if they don't use online validation? I'm sure there are a couple who don't use online validation but have some sort of validation and they probably use SharedPreferences to control the app validation. How come they use it if it's not safe at all? Because it is good enough to stop casual piracy. Little will stop a serious pirate. This is not significantly different than for any other popular platform in the history of computers -- the only platforms with no piracy are the platforms nobody uses. Online validation is something I really wanted to avoid. I know that most people have an internet connection always on, but when they don't, I really don't want to downgrade my app or prevent them from using it. I'm not very comfortable with such policy. That doesn't leave me with any other options does it? You could come up with a business model that does not depend upon defeating pirates. -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Android App Developer Books: http://commonsware.com/books -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: How secure are SharedPreferences on rooted devices?
On Thu, Nov 24, 2011 at 2:51 AM, Ricardo Amaral mas...@ricardoamaral.net wrote: Online validation is something I really wanted to avoid. I know that most people have an internet connection always on, but when they don't, I really don't want to downgrade my app or prevent them from using it. I'm not very comfortable with such policy. That doesn't leave me with any other options does it? * option 1: don't do online validation. You can even get away without a server component at all: find a deterministic coupon generation algorithm and implement it in your app. Say, all 8 char strings that have 2 odd numbers and 2 vowels are valid coupons (don't use this!). Assume some people will find what how this works and abuse it. If the number is relatively small, just ignore them. (Real world example: Windows license keys had no online validation for years) * option 2: do online validation once a week/month, etc, only when Internet connection is available * option 3: come up with some other (reasonable for your app) policy Bottom line: you need to decide how far you are willing to go with this first and if it is worth your time. Then decide on a policy and implement it. I guess this means the coupon system I found is not that useful. It uses shared preferences to control if the app is unblocked (ie: a coupon code was inserted and validated): https://github.com/zemariamm/Coupons/blob/master/src/com/zemariamm/coupons/CouponPreferences.java Still, someone requested the link to the whole thing: http://zemariamm.posterous.com/using-coupons-to-giveaway-paid-android-apps Thanks. This is very basic, so if you decide to use it, you may want to improve/tweak it. At least you need to decide how you manage coupons: by device (how do you identify devices?), user (google account, email), etc. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
