Currently I'm working on app which allows user to use promotion code to get free stuff. The promo code can be used only once for every device. So even if user uninstalls the app and installs it again, he or she cannot use the code again to get free stuff.
However, my problem is I need to implement this on the client's side (i.e., on the phone itself). Apparently SharedPreferences cannot solve this issue, but saving some file on external storage seems quite fragile to me. Is there any good solution to the above problem?
Both iOS & Android apps run within a sandboxed environment and do not let you create or read files out of the environment. This means that you cannot do this. The only way you can achieve this is by reading some unique identifier from the device and storing this info on the server side.
please use webservice and save user information in server
user_id
user_password
user_promocode
and etc.
please apply webservice on your application to solve your problem.
Related
So i've recently discovered Flutter as a great way to develop apps for IOS/Android at the same time and i've come up with a project i'd like to realize. It's nothing new, i just want to build an app that helps you keep track of all the money you have / don't have (in my case). I know that this is not something new and there are some really good apps for this but i want some special features none of these apps has (+ it's a project not that difficult and i can get a ton of coding experience).
I am looking for the best / a very good way to store user data. Each user should be able to store all past transactions and how much money they still have left. From what i've read SharedPreferences aren't the way to go as they aren't good at "storing a lot of data" so it's reccomended to go with an actual database.
As i am someone that very frequently resets his phone (rooting and stuff is really fun) i'd love to have the option to backup the database in the cloud as well. If my research is correct i can do this two ways:
I can either have a local database stored on the device and create an option in the app to export the db to e.g Google Drive / Dropbox and import the db from there or i could go with a firebase from google. I'd prefer the second option as then i could implement it in a way that the user doesn't ever need to press "backup data" but the data will always get synced with the firebase and be available offline.
I've found tons of ways and tutorials on how to do this on android, yet i could not find anything for flutter. And i don't really know how to secure a firebase (and i don't really want to know either, i'm not that much into databases).
What are your suggestions? Should i
Go with a local database or
Try setting up a firebase
Thank you guys!
Firebase seems like a great option. Note you only have 1GB of free real time database storage.
In terms of integrating Firebase with Flutter you should start reading here and here
SharedPreferences are mostly used for storing only important information like userId tokens, session timeouts etc etc.
In my opinion go with firebase, so that you can keep record of probably every single transaction.
You can even go with local storage but as the data grows it would be good to keep it syncronized across cloud.
I'm trying to understand how applications are storing data without the use of a login system. Example, an android app starts you with 500 coins and you use some of them. You have not logged in at all and you delete the 'app data' in settings and uninstall and reinstall. The app still knows you only have 450 coins left for example. The app requires internet connection so I'm assuming they are storing the info on their server. If so, how are they uniquely identifying your device? In my reading so far it seems there is no full-proof way to uniquely identify a device every time.
I'm asking because I'm going to be working on an app where I don't want to require a login but I also don't want the player to simply reinstall and get to start over. So, my question is how does everyone handle this situation to work for both iOS and android?
Google offers Firebase, which is used for notifications, but makes use of a unique identifier for an application instance on a device (both on iOS and Android), they could be using this.
There are some more providers that offer a similar service (for example OneSignal).
Reference: https://firebase.google.com/
i need to know how can i secure my app to make a close beta?
i want to send my app to some people so that they can test it. but i dont want them to share the .apk with other people and just use it some days. so i need to implement some kind of trial/beta mode.
i need something, that the app e.g. only runs 7 days or so. how to do this?
There are a few ways to ensure security:
Get a server, and have a server side authentication based on a unique device ID, like an IMEI or MAC address. Any device which does not belong to your testers will not be listed on your server, and you can stop the app from running.
If possible, have each person come to you and install the apk yourself, instead of mailing it to them
Create a trial system. Store the date on which the person first accessed your app from the device, and stop letting him use it n days later. If you store this on a server along with the unique ID, it'll be safer, as if it is stored in the shared preferences or something, the user could get around it by clearing the data or uninstalling and reinstalling the app.
Obfuscate your code using a tool like ProGuard. This will add an extra layer of security incase someone decompiles your app
Note that these are only a few suggestions, and none of them are 100% secure. AFAIK, there is no way to ensure 100% security, short having having the devices locked in a lead room, and letting in the testers one at a time. And there is a way to get around that too, I bet.
Use hockeyapp, there's nothing easier to distribute your app to a closed group of people.
The problem:
In one of my Android apps, users should be allowed to make changes to text data on my server (via HTTP request) without being required to login or sign up.
In order to prevent spam and abuse of this function, I would like to identify a single installation of my app so that I can "ban" this installation. Of course, the user who is abusing my service could uninstall the app and download it again or something like that. But this is truly an obstacle and makes abusing the app more difficult.
So I have to find a way to identify an Android device or at least a single installation.
As one can read here or here the physical device ID of an Android phone is not a good solution. So what else could I do to achieve this?
My idea:
When the app is started for the first time, create an (almost) unique hash (maybe SHA-512) of the current timestamp and a huge random number. Then save this value on internal storage and always use it to identify this device or installation later (on HTTP requests).
What do you think of that solution? Are there any better approaches?
This is almost what the Android Developers Blog suggest, right? But are they really writing to the internal storage? They don't use openFileOutput() as suggested here.
And, at last, a question that is probably a bit stupid:
How can I use the code shown on the Android Developers Blog? Can I add that public class to my main activity .java file?
Thank you very much in advance! :)
In my current Android project, I use the Bluetooth mac id as the identifier because of what I read about the physical device ID not being reliable. Of course, my app is very specialized and REQUIRES bluetooth AND internet anyway, so this works.
Specifically I have a way of calling my web server from the phone, passing in the Bluetooth mac ID. I can check license status (for trials/expirations), where you might check against a ban method to see if that id is banned.
Since my application requires bluetooth, this worked perfectly for me since [mostly] all bluetooth mac id's should be unique.
Just an idea.
I am creating an app where the user does some things during a game, and these actions are logged in a SQLite-database. At the end of the game the app presents these logs through a screen, which are read by the game administrators (like, physically read by the game administrators watching the screen). Is there some ways for the contestants to manipulate the database, and if not, what security measures prevent them from doing this?
The database is stored under /data/data/your.applications.package/databases. Normally this location could only be access by the user the Android OS created for the app. No other user is able to access this location unless the device is rooted. Then any user can access any location on the phone and manipulate the data.
So if you want to prevent users from cheating you need some way to check if the values in the database are untouched. Perhaps you can store some kind of fingerprint on a server to check this.
Yes, you can do it programatically, as long as you are the developer. Here is the Android docs for SQLiteDatabase.
Here are some links for working with SQLiteDatabases programatically:
From Android docs
From a blog
From another blog
The SQLiteDatabase in an application should be 'sandboxed' to that specific application, meaning that no other application should be able to get to that data, as long as the developer didn't provide access to it with a ContentProvider. So to answer your final question, no, there should not be a way for contestants to manipulate the database, except in ways that the developer has already allowed.
Yes, users can examine and change the database when connected over USB via ADB: http://developer.android.com/guide/developing/tools/adb.html#shellcommands
Update:
This only works on rooted devices or official Google Dev devices: Why do I get access denied to data folder when using adb?
Still, this would allow users to access database and change game results. So you can not rely on databse not being accessible..
Unless you issue the devices to users and you carefully watch what they do with them, to be secure against anyone determined, you need to digitally sign the entries in the database using a mechanism hidden in strongly obfuscated application code. And even that only makes it harder.
Note that using a server does not help unless a key part of the game logic itself is implemented in the server; if the user knows how to fake your signing mechanism to write fake database entries, they can also send fake reports to your server.
You can use Proguard to obfuscate your code.
Also have the database be unique with a particular id according to the device id with some sort of server callback, to validate the database.