I'm making a Cordova 4.0 Android app that will be sold in Google Play, and I would like to prevent illegal use of it (for example preventing someone to extract the APK from the system and re-distributing it).
One theoretical way of doing this would be by checking that when the app is launched by the user, he did actually download it from Google Play (versus being it sideloaded). I'm not even sure if this is possible or if there's an alternate way of doing something like this.
One way that works in other cases is to use require some sort of login when accessing the app, but in this case I can't do that. Any advice would be appreciated!
Google offers a way to implement validation / licensing:
http://developer.android.com/google/play/licensing/index.html
Take a look if this is what you need!
One suggestion would be for those apps which are get connected to a server to fetch some data.
App verification token
Generate an encoded 64-bit long token and store on both device & server as well. This will be a unique token per app
Whenever app tries to connect to server, it sends the device token details. Server needs to verify it before fulfilling its request.
On specific events, server can generate a new token for a device.
Same way, device token can be mapped to a user or an app on the server side.
Token could carry some app related information, for instance.
first 4 or 6 digits represent app size
second block of digits could represent user specific or device or some other details
Or another block could hold app contents modification date
In case of any change, server could verify the app size, last app contents modification dates, etc.
Generally it is recommended to uglify, obfuscate and minimize app resources before submission.
You can use the package manager class to determine the source of an app (only google or amazon currently detected)
You can similarly use google analytics which gives same information.
This is pretty neat since Android stores the source of every package, allowing apps to know where they came from, to prevent piracy and sideloading.
Great if you always publish to google or amazon. Useless if you sideload your app.
Related
Scenario
The user get only the first time free credits in the app. After that we want to do fraud prevention. We need to check if the user and/or the device have not installed the application before.
We can accept the risk of a factory reset or rooted devices
What I tried already
Listen to Intent.ACTION_PACKAGE_FIRST_LAUNCH. After reading I understand that this event is only send to the Play store and can't be used in any other app.
Check the application package info for the field "firstInstallTime", this is reset when the user removed the application and do a install.
Android Backup Service, but the user can stop the backup and reset data, so this is at no use.
App licensing looks like a promise solution to detect if the user have already installed the app. But with limitations the following is described: "You can implement licensing controls for a free app, but only if you're using the service to provide APK expansion files." Do we need to make a small APK expension file, just to verify the license?"
make a fingerprint of the mac address, imei, android id and some other stuff. But would this make the scans of Google play violating? I don't use it for advertising, but i'm afraid they think we violate the google play policy.
how you can help me
Can you help me to choose a good direction to solve this issue and maybe give some better methods to do this verification.
Factory reset, second-hand phones and users with multiple devices will be your main problems.
The only way to uniquely identify a user is an authentication through login/password or OpenId account.
Hey there if you are managing user information at the your server than what you can do is take the IMEI number of the device and send it to your server. It will record the information of the user. Now if he/she uninstall and install app again your app will again send IMEI number at server now you can check the IMEI already present or not, If present then user have already installed your application, more over you can manage same thing from the login ID, but that can be faked by the user. More over it will not violate any thing. User can see while installing in the permissions that your app will get the system information.
Is there any way, to check on server if this is my application sending data or it's someone's who decompiled my app? Note that both my and fake apps may be downloaded by user from Google Play. I have only one idea - in Google Play you cant post two applications with the same package names, so maybe I can send package name to server or something like this.
It can't be done without some help from OS - because an app would not know whether it was modified (the modification check itself can be hacked).
The ways I'd go would be the following:
Excercise the options Google Play Store gives you - license check and app encryption
Add some auth data to the application itself and verify it on the server (some encryption key). The data should change with each version
Accept only 2-5 last versions (for people who haven't yet updated)
This way, any pirated version will be valid for only a week or so... And for someone wanting to use the app constantly it will be easier to buy it, than re-download it every 1-2 weeks.
It won't protect you completely, but will make thievery time-consuming and hardly worth it given the option to buy the app. Enough to convince the users who would have bought the app to buy it. Those who pirate things out of principle can not be converted in any case...
there are some points which can make your code and application more safer.
use proguard(see on android devlopment site) it offuscates(other words makes it messy at compile time) your code.
secondly you could use encryption and decryption send some secret key encrypted
I am planning to drop my app in Google Play(earlier Android Market) because of push notifications (whenever a new version) , security for apk and so on.And also since apk is secured with Google play(paid apks) i dropped of downloading the apk from my website (only authenticated people can download the apk)
Actually its a business app for particular users with username and login access. Everything was fine in the App with login and security mechanisms
I am thinking of a way to restrict the other users who are not from the list while installing itself.
My question is whether any kind of filter or authentication mechanism can we set while downloading the application from the Google play it should ask for a password or something like this to filter the unauthorized users to download the app..
My ultimate aim is i don't want the peoples to try it after downloading unnecessarily
Can anybody help who have tried all those in android market
Ok.. One thing after another..
Google propose their licensing mechanism. However app would need internet connection, which is disadvantage if otherwise it doesn't need it. If I got it right your does need to connect to server so this is not a problem for u.. It seems to me you are already familiar with this method.
Mechanism for password protecting downloading or visibility of apps on Google Play doesn't exist today..
You can identify users with IMEI (in case you don't consider using app on tablets, which doesn't have it), WLAN MAC, BT MAC address or some exotic combination of these methods, and you use this as authentication.
The best solution, from my point of view, is to allow people on market to download it. Your application is already using some mechanism of authentication (user/password) to server. So if 1st thing user need to do is login, and any functionality is disabled if that doesn't pass. If it pass, you already know who is your user and what privileges he has.
The thing is here that I am not so sure what are your concerns when user without login/pass download application if everything after that screen is disabled before authentication. User will download (if they find it..), they will install, try to use it, see that's not possible without credentials and uninstall it.
Hope it helped.. I will try to add few more links in a while..
I have a few questions regarding android market(Google play). How can I list my published application by accessing from my google account? What I have done so far is using my application package name as a query string to search my application and display all information which I used android market api to do it. Is there another better way to display all my published or installed applications by accessing from my google accounts?
My second question is about detecting number of downloading and installations of my published application. I have found only google analytics so far(for free) which I need to embedded some codes to monitoring my application. Is it possible for me to access those information from android market publish page . I have found that publish page contains information that I need.
Edited: For second question, I would like to obtain statistical information without adding any new code to my application. Is it possible to provide only google account to grant the permission to get those information?
My application is published. If I am using google analytics to monitoring my application do I need to start my counting from zero?
Sorry for my English and my little knowledge about this.
Thanks in advance..
Edited: .. I have found an application, called "analytics" that is what exactly I want to do. But I still cannot figure it out how it works..
The only place you will find this kind of information is on your Developer page. That said, if I were wanting to do what you are, I would put up an app on App Engine that either parsed my Dev page on request, or on a schedule. I mention App Engine as personal preference here, you could obviously use anywhere you can host scripts on.
You can then do what you like with the data you have collected, and your app can request this from your site. Assuming you have no qualms with publicising these numbers, you wouldn't need to scare users by authenticating, and would just need a plain html request.
Edit:
In your language of choice, you would need to request your developer page (the one that lists apps and their install count) and would also need to authenticate as yourself to get it. It's for this reason I would use your own hosting if you can. I can't be more specific than this, as I don't know what language you're most likely to be using. It should be trivial to find out how to do an html request and step through the page in whatever language it is though. App Engine pages are written in Java or Python and deployed to the server, while other obvious options are PHP or Perl. On my own server I would most likely use Perl as it's ideal for ripping up html with regexps.
I'm creating an Android application for a fantasy league as part of a college project. It's a paid application, and requires each download to be associated with only one team.
I'm confused as to how best go about it. If a user goes to settings and clears the data from there, all files, settings and databases would be deleted rendering a locally stored indicator for "The app has already run before and hence user is registered" as pointless.
Another option that had come to my mind was to store the IMEI no on a remote database (with SHA1 encryption to protect the data) but the problem with this is that, if a user loses or changes his phone, his further participation would be impossible. Additionally, users understandably don't like to share IMEI numbers and it's acceptable.
The best solution in my mind was to restrict usage of the app to the Google account that was used to download the application. With this, even a change of handsets would allow further participation of the user. However, I've not been able to find a way to obtain the Android Market account (only require E-mail) which resulted in the download.
So, my question is, how do I best go about with the problem that I face? Is there a way to get the Android Market username? Or is there a worthy alternative?
The server-side option is what you want, you can get a unique id from each phone and use that as your identifier.