My company is letting an external provider manage its internal Android "app store" for it. For this, the provider wants a p12 and the APK.
My question is: would there still be an "emergency" way for us to disable an app?
I know that on iOS there is always the possibility of disabling a provisioning profile; is there something similar with this Android setup?
Thanks
If I understand correctly your question, you want to be able to disable your application remotely ?
If so, there is no built-in way to do it, with or without using the signing certificate. Even removing it from the Play Store would not prevent existing users to use it, since you can't uninstall an app for users.
The only solution I see would be to introduce a custom check when the app is launched, which would call a webservice and depending of the "status" returned, start a blocking behavior in your app. However, this requires network, and it's not a very good usability best practice, since your users could see their service interrupted without warning.
Related
I am creating an iOS and Android App and I want to create a screen where the player can start with a guest account or can connect his account with our own accountsystem.
But my question is: Can I detect a user after the app was uninstalled and installed again?
I know that there is something like the vendor. But this will change.
I know that other apps also can do this.
With the user's permission- have them log into an account. Or provide you with their google of facebook account info. So far as hardware ids, those are discouraged and actively being removed to prevent people from the API to prevent this.
Also remember- that unless the user logs in with an account, you don't really know whether it is the same person. You could know its the same phone, but you don't know if he gave it to his kid sister to play on. Or sold it when he got a new one, and now you've given the new owner access to someone else's account. Also, if you rely on hardware ids you won't know its me when I buy a new phone and download it on that.
So yeah- either have him log in with a username and password, or use a 3rd party signon mechanism like Google or Facebook.
For iOS, there is a recommended approach to do that: by using the DeviceCheck framework. The idea here is that it allows you to persist 2 bits of data across app installations on each device. You can set the first bit to 1 if the user has already installed the app or 0 otherwise. And use the second bit, for example, to check if the user has signed in or not.
The official documentation is pretty good, please check it out.
The downside of this approach is that you will also have to do some work on the backend side.
UPDATE:
If you specifically want to detect the account, there is no reliable approach. One of the options is to use identifierForVendor or generate some kind of device fingerprint (for example, by combining the device model, timezone, locale, etc.), but of course, this will not work every time.
Uniquely identifying a device is a security leak, and all platforms are putting serious restrictions on unique persistent identifiers because of privacy concerns.
Is is possible to make an android app non deletable.. What i mean is, I want to install a app, but I cant remove/ uninstall it. If I want to uninstall it then it should prompt me for password which I would have set during installation of the app.
When I read the docs they tell it can be done using Device Admin, but it doesnt provide security, interms of it doesn't ask the user for the password and deletes if its correct..
Is it possible to make an app such that even if there is a factory reset the app will still be there on the phone ?
Is is possible to make an android app non deletable
No, unless you want to create your own ROM and preload it with your app, just like some manufactures preload their devices with their own software and other bloatware.
No it is possible to restrict any user to delete the app from android device.
As google already maintaining this scenario by using the concept known as Device Management System.
Google Eyeing on apps which are published by the developer / installed or deleted by the user.
Although you can make your own app which will notify your admin that user is trying to delete the app or deleted the app, using Service Intent concept.
I am planning to drop my app in Google Play(earlier Android Market) because of push notifications (whenever a new version) , security for apk and so on.And also since apk is secured with Google play(paid apks) i dropped of downloading the apk from my website (only authenticated people can download the apk)
Actually its a business app for particular users with username and login access. Everything was fine in the App with login and security mechanisms
I am thinking of a way to restrict the other users who are not from the list while installing itself.
My question is whether any kind of filter or authentication mechanism can we set while downloading the application from the Google play it should ask for a password or something like this to filter the unauthorized users to download the app..
My ultimate aim is i don't want the peoples to try it after downloading unnecessarily
Can anybody help who have tried all those in android market
Ok.. One thing after another..
Google propose their licensing mechanism. However app would need internet connection, which is disadvantage if otherwise it doesn't need it. If I got it right your does need to connect to server so this is not a problem for u.. It seems to me you are already familiar with this method.
Mechanism for password protecting downloading or visibility of apps on Google Play doesn't exist today..
You can identify users with IMEI (in case you don't consider using app on tablets, which doesn't have it), WLAN MAC, BT MAC address or some exotic combination of these methods, and you use this as authentication.
The best solution, from my point of view, is to allow people on market to download it. Your application is already using some mechanism of authentication (user/password) to server. So if 1st thing user need to do is login, and any functionality is disabled if that doesn't pass. If it pass, you already know who is your user and what privileges he has.
The thing is here that I am not so sure what are your concerns when user without login/pass download application if everything after that screen is disabled before authentication. User will download (if they find it..), they will install, try to use it, see that's not possible without credentials and uninstall it.
Hope it helped.. I will try to add few more links in a while..
I have a paid android application which uses the google LVL code to authenticate users.
A company would like to pay me so that their application can include a free version of my application. However, I'm not sure how to accomplish this in a way that won't result in an easily pirated version of my app. Below are some implementation options I am considering, but none of them seem like particularly good ideas. Any suggestions?
I deliver them an apk which does not use the LVL code. They could then package my apk with their app, and install it using the ACTION_VIEW intent. This seems like a bad idea because I think it wouldn't be particularly hard for some rouge user to extract my unsecured apk and distribute it.
Maybe I could build a version that checks to see if their app is installed, and if it is it queries their app for some sort of unlock code. And app will only run if this unlock code succeeds. My main concern about this is that I have no idea if "querying another app" for an unlock code is accomplishable.
This is definitely accomplishable. As already said one way to query the app is by using a content provider. If you are concerned about security you can introduce additional permission that both apps must hold to access the provider. Although since it doubtfull that both apps have the same signature it won't be as effective.
Another way would be if they had a service that you could bind to and request a code or any other authentication. In this case their service can as well validate your apps validity by querying your apps userId and checking a signature via PackageManager.
Sad news is it's alomost impossible to prevent pirating your app anyway. Even with LVL... Since all this can be decompiled and eventually broken. But at least you can make attackers life harder.
For what you are looking to do I would create a jar out of your project and mark it as a library project. That way you can give your application out to your client but they wont be able to see the actual code you have written. Using this method they will be able to call any method directly which would be easier than having to interact with an apk.
I want to release a trial version of my Android App that can only run for a fixed number of days before it disables itself. What techniques could be used that would provide reasonable protection and achieve this?
I am hoping to avoid the need for a licensing server. But if I do need one does anyone know of any open source license servers that they would recommend. If not open source then any that are reasonably priced?
Thank you for your kind response
Android makes it pretty hard to reliably resist pirating. You basically can't trust the device, pretty much need to have a call on startup to your server with the unique ID that authorizes or rejects the user. If most of the functionality relies on some server of yours, then you can make the app much more resistant to pirating by requiring a valid device ID on startup to get some sort of auth token, which your other RPCs can then use to authenticate the app.
I have a suggestion, although I do not know how effective it will be against someone who is very determined to get your app for free.
You could have a check that happens on startup of your app. If it is the first time the user has opened the app, then you take note of the time, and save it into a private preference of the app. If it is not the first time the user has opened the app, check to see if it is still within the valid data/time range from the initial time you saved to preferences. If valid, continue as normal, if not, display some message asking them to download the full version.
Again, I am not suggesting this is the best idea, or that it is even completely secure (as I do not know if anyone or any app could have access to those preferences). But I do think that it would be a cheap solution and easy to implement.
I had answered this question previously might be helpful Android: saving info for trial application