2

I have done some research how to actually implement a X day trial version without an external webserver for date checking. But did still not get to a clear solution.

Requirements in short:

  • Secure storage of small data amount (e.g. Install data)
  • Secure in the sense that it is only readable/writeable by that app. Even better hardend against device wiping, rooting?
  • Persistent over app uninstall
  • On app reinstall data can be regained
  • Working on Android 4.0.3+
  • Using standard APIs, no hacks which could break with time. [1]

I know these are high demands. Is there any way? Thanks.

[1] http://nelenkov.blogspot.de/2012/05/storing-application-secrets-in-androids.html

Matthias
  • 23
  • 2

1 Answers1

2

If you look at the available Storage Options in android, we can narrow down on the approach that can be used.

You can't go for Network Connection as you don't want an external web-server

You can't use SQLite Databases, Internal Storage or Shared Preferences as these are not 'Persistent over app uninstall'.

So the only way to do this is External Storage.

However, to make it 'Secure in the sense that it is only readable/writeable by that app' you'll have to encrypt the data file(s) so that only your app can read it. But you cannot make it immune to device wiping or deletion triggered by user herself.

Nitesh Garg
  • 401
  • 3
  • 6
  • Thank, I have implemented an approach using the Shared Preferences and External Storage so far to keep the value after app uninstall (Value AES encrypted, Key stored in app). But this solution still has drawbacks if both storages are deleted. – Matthias Aug 19 '14 at 11:39
  • @Matthias You do release that 'key stored in app' is anything bug secure? It's an obfuscation at best. Anyone who takes the time to reverse engineer your app will find the key. – Nikolay Elenkov Aug 19 '14 at 14:26
  • @Nikolay Elenkov I think in the end it is really the best to use a server. AES key storage in the APK is pretty insecure, yes. – Matthias Aug 19 '14 at 14:35
  • @Matthias There is *no way* to make it secure without a server. But still, there is really no need to encrypt anything, you can just sign the data and embed the *public* key in your app. Users cannot fake the signature without your private key, but the question remains: what to do when they delete your license blob? – Nikolay Elenkov Aug 19 '14 at 14:39
  • The app needs a network connection any way. So I will go with a date check over a server. On every app start a date check with the server is done. So there is no license blob stored in the app. The thrid option from this suggestion. Thanks for your help anyway. http://stackoverflow.com/questions/995719/creating-an-android-trial-application-that-expires-after-a-fixed-time-period – Matthias Aug 19 '14 at 15:56