0

My app just has a in app purchase for full license. It has no subscriptions, no downloads of items from any server. The license purchase is performed just one time and accounts are not managed so just the Google account is relevant. The Google account is the user. I am pointing all this out because I have strongly protected the private key and the sku name and deem it is enough for my app.

Is strongly protecting the private key and the sku name enough for an app like mine? I think it is enough: no developer payload (no accounts) or nonce (no replay attacks) are needed. Am I right or wrong?

P5music
  • 3,197
  • 2
  • 32
  • 81

1 Answers1

0

Might be good idea to implement android's own licensing as it will save you many troubles and will let you have better track of the licenses your customers have adquired, check this out:

http://developer.android.com/google/play/licensing/index.html

It also explains best practices, and takes on the subject of ofuscation to patch up your data security.

Aboca
  • 575
  • 2
  • 9
  • I read every possible SO post about this topic so I think I do not need the above mentioned further security measures. Please note that I purposely declared my app does not manage accounts, does not download items from server, has no subscriptions, has instead a unique license=purchase item. – P5music Sep 01 '14 at 09:10
  • @P5music I don't really think any further added security is really needed, still wanted to point out a good reference site with good guidance and material to implent licenses for android apps. As far as I see it aas long as you have protected your keys there isn't anything more I would classify as a critical security measure. – Aboca Sep 01 '14 at 09:59