So, I've setup the Android LVL with my application to check for licensing. This seems to work great with the Test Accounts. The problem is, if I turn the phones internet connection off and try to run the app, the licensing check will fail and tell me it's NOT licensed!
One thing is, why does it tell me the application is NOT licensed and more importantly, how can I have the application 'remember' if it is licensed or not.
Apparently the answer to this is that the license is not cached when testing, but is when on the market. I created a small app to test this and it works!
Sorry but, I too confirm that airplane mode results in a failure to rely on any cache. Theoretically, if the app was online and pinged the license server right before going offline, then it might work. However, if the phone is offline for any significant amount of time, there is no caching mechanism. Just look at the code. I filed a bug against android :
http://code.google.com/p/android/issues/detail?id=12978
Because my users of Shout n' Snap shoutnsnap.com are ALREADY confirming this stupid behavior.
I've made a workaround using a 2 part challenge on the client side. EG:
IF LICENSED:
PERSIST random key as LK
PERSIST obfuscated random key as OLK
ELSE:
if (deobfuscate(OLK) == LK)
GRANT ACCESS
ELSE:
GET LOST
Code is here: http://code.google.com/p/androidbest/
Related
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.
Is there any way, to check on server if this is my application sending data or it's someone's who decompiled my app? Note that both my and fake apps may be downloaded by user from Google Play. I have only one idea - in Google Play you cant post two applications with the same package names, so maybe I can send package name to server or something like this.
It can't be done without some help from OS - because an app would not know whether it was modified (the modification check itself can be hacked).
The ways I'd go would be the following:
Excercise the options Google Play Store gives you - license check and app encryption
Add some auth data to the application itself and verify it on the server (some encryption key). The data should change with each version
Accept only 2-5 last versions (for people who haven't yet updated)
This way, any pirated version will be valid for only a week or so... And for someone wanting to use the app constantly it will be easier to buy it, than re-download it every 1-2 weeks.
It won't protect you completely, but will make thievery time-consuming and hardly worth it given the option to buy the app. Enough to convince the users who would have bought the app to buy it. Those who pirate things out of principle can not be converted in any case...
there are some points which can make your code and application more safer.
use proguard(see on android devlopment site) it offuscates(other words makes it messy at compile time) your code.
secondly you could use encryption and decryption send some secret key encrypted
Hello and thanks in advance for your response.
I have my licensed app uploaded to the Play Store. I can test and get expected results with all of the static test license responses (Licensed, Not Licensed, etc). So far so good.
But if my test device has no internet connection, the license check ALWAYS fails. This is not how I understand the ServerManaged policy to work. If an install is found to have been licensed sometime in the recent past, the policy is supposed to cache information in a shared prefs file and use it if there is no internet connection.
So I temporarily commented-out the obfuscation of the data in the prefs file that the license system creates. When I look at the data, I see that the retry count and other stuff is set to zero. This is not what I expect. With data like this, it is behaving for me as if I were using a Strict policy (and I am not).
I am presuming that this is an artifact of using the test response system and that "real" users will get actual data in their obfuscated shared prefs that permits them to operate in the absence of an internet connection.
So I have tried setting the server response to "Respond Normally". When I do this, I ALWAYS get a NOT LICENSED response. And I guess this makes some sense because I have not purchased the app and downloaded it.
So how can I, as the developer, experience exactly what my end-users experience? I want to be able to test how this all works without an internet connection, for example. I cannot seem to figure out how to do this? I guess I could purchase my own app but I am not sure that will even work since the test device is logged into the test account. And it makes no sense for a developer to have to purchase their own app.
Thanks for any suggestions.
I think I found a possible solution to your problem.
What I have done:
first, I created a google group for alpha/beta testers of my app (after uploading the app, of course). Then, I ivited myself in this google group and accept the invitation. After this, I inserted my gmail developer account in the list of the users for the license test and set the server response to "RESPOND_NORMALLY".
In this way, the response of the server will be always "LICENSED" for my account, and the validity time will not expire in 2 minutes. It's as I had bought the app!
The only limitation to this trick is that you have to upload your app in a beta or alpha slot of your google developer console but, after this, you can also get a "LICENSED" answer using a debug app uploaded on your device using the usual Eclipse IDE! You don't have to wait for the generation of the link to download the test app (that is very slow to generate... Up to 24 hours!).
I too have experienced this frustration. I too want to have the same experience as my customers. As soon as I set 'Respond Normally' I always see the 'NOT LICENSED' response -- which seems VERY SUBOPTIMAL. I BELIEVE what Google needs to added is a setting of **'RESPOND_NORMALLY_AND_LICENSED'**. That would do what's needed.
The heart of the difficulty: if I leave my app as 'LICENSED' that works fine when I have an internet connection, then after 2 minutes with no connection, my app stops working as licensed (since the cache is set on the Google Play Server to 2 minutes). Thus if I want to use my own app day-in and day-out, I need to produce an app with licensing disabled --- something my customers never see. That's a VERY bad idea.
We all learned a long time ago: "You must eat your own 'dog food' as a developer."
I have reported this as a 'Developer Console' Bug, but it is perhaps instead of a 'Bug,' a very strong suggestion--and it would be seemingly be simple to implement.
As a work around, I have now added code in ServerManagedPolicy.processServerResponse() to simply add two months of time the licensed time and call setValidityTimestamp(). I hope this helps someone else. Now I am content ---
I have an app that uses the Android licensing. I'm using the ServerManagedPolicy which according to http://developer.android.com/guide/publishing/licensing.html should cache the server responses.
To test it I did the following:
In the developer console, set the server answer to be "LICENSED" for my account.
Connect the phone to Internet, and run the app. It shows the dialog I created to let the user know it is trying to obtain a valid license. It then shows that it found it and lets me run the app.
I exit the app (back button) and the force close it.
I disconnect from the Internet.
I run the app again. I see the dialog again, but this time it says a valid license was not found and doesn't let me run the app.
Shouldn't the ServerManagedPolicy cache the license it found the first time and let me run the app the second time?
I haven't published this app yet. Could this have something to do?
Thanks!
Don't worry, I had the same issue. When you use a test or dev account, licence is not cached bu the ServerManagedPolicy. But for your real clients, it will be cached by LVL.
Nothing in the docs says it clearly, but that works and actually, is nice feature for devs.
Regards,
stéphane
Btw, You should add a link to your app in your profile as I did... I am curious about it but can't guess what it is.
Any tips on how to implement a trialware model for Android apps? I plan to release my app as a free app that expires after 30 days unless the user buys the license via an in-app purchase.
I can use the Android Market API to tell if they bought the license, so my main question is how to prevent the user from un-installing and re-installing my app every 30 days? Can I save something to their phone in a permanent and reliable way that will remain on the phone even if they uninstall? I know nothing will stop a determined hacker, I just want to stop the average user.
I am also open to different approaches to going trialware on Android.
Thanks in advance,
Barry
Have you read the documentation on Application Licensing? Specifically, have a look at Implementing a Policy
I also have found this resource very helpful in determining the best way to get a unique ID for any one device. Android - Identifying App Installations -- They discuss pros/cons to the different approaches -- Straight from the developer's mouths!
I would avoid leaving unwanted remains of the application on their phone.
Instead, you can take some unique identifier of the device, and send it to your server, if this ID was not registered before, send it activation code, if it was, don't send it.
Store this activation code in some shared preferences etc. and when the application starts, check if the activation code is there and if it is valid.
They don't even have to uninstall, just clean app data. You can save something to an obscure location on the SD card, but that's also fairly easy to circumvent, even easier if they read this forum :) Your best bet is to have the app call home to your server and check if licensed periodically. That of course comes with it's own problems: do you allow it to run if network connection is never available, etc.