I'm totally new to the Android Play store. I'm working on an app that is almost finished and ready to publish.
But I notice that you can copy the apk file (after purchase) to another location (sd card for example) and install it on another device. That is something I want to avoid.
My questions are:
Does the Google Play store sign the apk file with some unique id before downloading? If is true, can I read/get this code from the
apk?
Is it possible to know the email-address of the user that purchase the app or can I access some other details of the user?
Is it possible to get an unique detail of the device?
Is there another solution available to protect the copy of the apk?
I want to create a registration method that binds the device to the app, so when the user tried to copy the app, it is not possible to use it. Is this all possible?
If you have any questions, let me know.
PS: I used Adobe Flash Builder to build the app.
Your best bet is a combination of LVL (Android License Verification Library) and tracking device installations.
LVL
http://developer.android.com/guide/market/licensing/index.html
Tracking Device installations
http://android-developers.blogspot.in/2011/03/identifying-app-installations.html
To verify that the user has paid there is a Google Play Licensing service, you can use it. There are copy protection mechanisms on Google Play if you choose to use them, but they are deprecated now since you are supposed to use the service I just mentioned. You can gather some unique device details, there are APIs to do that, but this is not really needed.
Related
I have this app developed and issued to users via USB. But I want to prevent them from extract the APK and install it on other phones.
Currently, I have a APK signing signature check when the app launches and prevent it from running if it doesn't match mine. But it doesn't to stop those APK extractor apps, this one for example.
https://play.google.com/store/apps/details?id=com.ext.ui&hl=en
I checked the extracted APK and it has the same signature as my original! Is there any other ways to stop it?
My app is a standalone app so it doesn't have a server to talk to...Thanks!
Disclaimer! There's no way you can protect your app 100% but you can try the following ways:
Google Play Licensing and the License Verification Library (LVL)
This service allows your app query a Google Play Licensing server to determine if currently running device is recorded as a purchaser.
More info
OBFUSCATION
Eliminate all chances of reverse engineering which is a way of generating an apk from your app.
More info
COPY PROTECTION
Although superseded by licensing on some platforms (most notably Android), copy protection is a simple way of fending off more perfunctory attempts at piracy.
Digital rights management (DRM) can be built into the app itself, be part of the app store to which it is uploaded (such as Amazon DRM), or purchased as part of a third-party paid DRM service.
In general you can not prevent your app from being extracted from a device. Furthermore any of your user could simple upload the retrieved APK file somewhere on the net.
Therefore you can only protect your app from being used by "the wrong people". I see two possible solutions for doing so:
Dongle the version to a specific device
You know the principle by many shareware software: After installing the app requires to enter a license code that activates it. The license code is generated by you after receiving some sort of device fingerprint and the app checks if the license is valid for this specific device.
Embed a water-mark that allows you to identify who has leaked the APK
This would require to create unique APK files for each of your legitimate user.
Scenario:
Someone buys/downloads my apps from the play store.
They then do an adb pull /data/app/com.example.myapp.apk on my apps
They then sideload it on another device/distribute it online
Can I:
Via my app identify it was not legitimately purchased/downloaded?
Download my apps from said website and verify the same person downloaded them?
Find any identifying information/user data inside the apk?
I can only answer number 3:
Reading: https://android.stackexchange.com/a/28138
It seems no user data will be in the APK, I don't know about the play store data though.
Can I:
Via my app identify it was not legitimately purchased/downloaded?
It depends how your app can be purchased. But even then that will be pretty hard to do that, especially this will be prone to spoofing on rooted devices, so if your app is a standalone product and does not require any account on your servers to be used, then it may be really painful and at some point not worth the efforts maybe.
Download my apps from said website and verify the same person downloaded them?
No.
Find any identifying information/user data inside the apk?
No. There's none.
Via my app identify it was not legitimately purchased/downloaded?
Aside from the security key which guarantees that the contents of the apk are not tampered with, the apk on it's own does not identify where it came from. If you need extra security measures against pirating, you have to look for other solutions, e.g. account checking, web-based identification, etc
Download my apps from said website and verify the same person downloaded them?
If you mean that whether Google Play will identify you as the person that originally purchased the app, the answer is no. If the app is paid Google Play will realize that you have not paid for it. If the app is not paid then Google Play will simply add that to the library of apps that you have and/or installed
Find any identifying information/user data inside the apk?
There is no user data in the apk since the apk is the same file for any device that installs it. However, some apps might store data locally which means that through adb pull an untrusted party might be able to pull your user data from your phone. Most apps don't store anything locally because of this.
As we all know that there are may options available to save the android app apk file.
so if the app is a paid app, it might become a risk for developer.
Could anyone here would be able to help me to know the best practice to be followed in order to prevent your android app from being copied by the app saver applications.
Thats where the Google Play Licencing service plays the role. Here is what is says " With Google Play Licensing, your application can query Google Play at run time to obtain the licensing status for the current user, then allow or disallow further use as appropriate." Check out this documentation for usage instruction Here
I have a simple question as to how can we prevent the user to share an apk file from his/her device to others.Like if i put a paid application in the market and a user downloads it . If its downloaded how can i be sure that he doesn't transfer the application to other or puts it in some third party market . I need to find some security measure to do it for my application.Is there any permissions that needs to be added or any third party security .
All the answers are appreciated.
As I came across this link. How can i prevent LVL
The Google Licensing Manager is what you should use which can be found at http://developer.android.com/google/play/licensing/index.html.
This uses some code that you can put at the start of your application that uses the licensing API to check that your app is licensed. This is done by checking that the account that the user is using on their device has paid for the app via Google Wallet and that a refund has not provided. If it is found to have been paid, then you can let the app run, otherwise you can display an error to the user informing them that it is not licensed. Most apps that do this provide a button that will launch the play store at your app to let them download the legit version.
This doesn't directly stop users copying the APK or publishing it on other markets but it ensures that app cannot be used unless has been purchased by the current user on the Google account they are using.
Although there may be ways to circumvent this check but this is probably the best and most reliable way.
Hope this helps.
You can do something like verify user on your server when app launched, but you cannot force user not to share .apk by technical means. Apk can be easily copied from non-rooted device, and there's absolutely impossible to prohibit user to copy .apk from rooted device even if Google adds some copy protection in future.
I have a paid app in the Play Store (Profile Widget, in case anyone is wondering ;)) and I want to allow some users (friends, or people who do not have a credit card) to download it for free.
Of course I could just send them the APK, but they wouldn't get the updates automatically, and with every update to the app I would have to send them all the APK file again. And also, by using this method, anyone that had access to the APK file would be able to install the app for free.
I saw that by using the Android Licensing Library you could make some users bypass the License Check, but I want the app to show as "Purchased" for them in the Play Store, and I don't think this would do it.
I searched Stack Overflow but none of the solutions I found (like creating a separate APK and checking for its existence from the "real" app) handled the auto-update part.
Has anyone found a good solution for this?
Thanks in advance!
You can now generate and distribute promo codes to current and new users on Google Play to drive engagement. Under the Promotions tab in the Developer Console, you can set up promo codes for your apps, games, and in-app products to distribute in your own marketing campaigns (up to 500 codes per app, per quarter). Consider using promo codes to reward loyal users and attract new customers.
Reference:
1) http://android-developers.blogspot.in/2016/01/create-promo-codes-for-your-apps-and-in.html
2) https://support.google.com/googleplay/android-developer/answer/6321495
The best solution is to have them buy the app, then refund their purchase. It would still show up as paid. Alternatively, you could give them the app, and license it via the LVL, and configure their email addresses as test accounts listing as purchased., but then they won't get updates.
I have the same problem, I've checked and from what I can see there is no analog to the Apple system (Give out a one-use code to download the app).
If you just give them the APK you don't get Crash/ANRs from them and they won't automatically get updates.
It is something that Google really do need to fix, sorry there isn't a better option.
(I have the same problem for my own device (you can't buy your own app), I had a crash that was rare in the app on my own phone, but I couldn't reproduce it at a computer and the logs had well cycled past the error by the time I did, Being able to get the crash report through the developer console would have saved me a lot of mucking around)
this is an updated and no credit card method.
You can create a free version of the same app in the play store,
but publish it in alpha release.
Then, you can create a google+ provate group of alpha testers and set it as the tester group for the alpha version.
Now add the 'free licensed' users to the alpha testing group and they have your free app.
To push updates, you will have to upload updates also to the 'free alpha', that's not gold, but I think is pretty close to the best you can get at the moment
This method has an issue. As long as licensing is per-App, you will have a different license key, and it may always return TRUE, so if the users share the apks, they may be able to let other people use the app, not totally sure about this occurrence, but you are warned, better if you are sharing the free app to trusted users.
You can set up a sale at price zero for the paid app and let your contacts know about it. Google allows up to 8 days of the sale at a time, but you can also set it up for a single day. This way, you may still get a few downloads from unintended recipients, but the 'problem' will be far more controlled than if you were to mail out APKs. Other problems like updates are also solved automatically.
You can upload in third party app stores like Amazon App Store, Aptoide , www.proapk.in to allow users to download paid Android apps for free.
For downloading the app as a developer: Google Playstore's official word on this, is that you must create a 2nd google account to download the app you are listed as developer for. That way the stats for downloads and terms are not breached. Spoke about same issue today (though its a while after the question was posted, others should see this with similar issues)
For giving it away free: Can't you just change the app to free at a given time then notify those people to hit it during a certain window?