1

I have been wondering if there is a way to store a symmetric-key your app uses to call your own webservices inside Google Play. Maybe via the new Google Tag Manager now part of the Google Play Services or via some ways of customizing Google Play Licensing to pass some arbitrary string you define. I have never used any of both, so I am asking.

Considering that Google Play is capable of having trusted communication with your genuine app, I have been thinking you could make use of that GooglePlay-to-YourGenuineApp trusted channel for sourcing your genuine app with a symmetric-key to call with your webservices.

I would like to make clear that my aim is not to verify which user is calling my webservices, but only that my webservices are called from my genuine app and not from a cracked one.

You could then periodically change the symmetric-key, both on your server and on Google Play, to make sure that even if an attacker managed somehow to find the key once, he would have to find the new one each time it's changed.

Daniele B
  • 19,801
  • 29
  • 115
  • 173
  • Note that with a rooted phone even that key can be repeatedly read out once you have found out where it is stored. Maybe you could instead give each user an account with which the app logs in and that is bound to the GooglePlay account? In the best case scenario a legitimate user does not notices anything about the account management but an illegitimate user has reuse an existing account and you can possibly detect him/her. – Perseids Apr 15 '14 at 06:35
  • @Perseids, what do you mean with "give each user an account with which the app logs in"? are talking about keeping on the server a map with the connected users? and how would you detect a GooglePlay account number is not legitimate? – Daniele B Apr 15 '14 at 16:34

0 Answers0