5

I'm working on an application that requires a server to do most of the heavy lifting. I want to prevent pirated clients from sending requests to that server. Is there a way to send some identifier with the requests so that my server can ask the Android Market if someone with that id actually bought the app? How would I go about doing that?

Note that just protecting the app with LVL won't work, because people could fairly easily write an application to interface with the server and still provide the same functionality as the paid app.

Mike T
  • 4,747
  • 4
  • 32
  • 52
Overv
  • 8,433
  • 2
  • 40
  • 70

2 Answers2

6

First: There is no 100% security for anything you run on a device that is not under your control (like Android devices in your case).

You could make "abuse" harder by several measures:

  • issue a random session key (cryptographically secure) after a successfull login with a time-limit so a new login needs to happen after a certain time has passed by
  • issue a random interaction key (cryptographically secure) for every communication step which gets invalidated right after one usage
  • when a successfull login happens terminate any other session associated with the same credentials that might be active before that login
  • "throttle" usage, i.e. limit how many calls per minute/hour or similar are allowed (might be impossible depending on the specific application)

IF you really really want to make it very hard you can issue a device-specific client-certificate (when the client buys your app) and use cert-based client authentication (defined in SSL standard) - you can invalidate the cert associated with the device if you see abuse without harm for the legitimate users of other devices...

Yahia
  • 69,653
  • 9
  • 115
  • 144
  • I know all that, but how do I issue a key to someone who bought the app in the market? There's no such callback available. – Overv Apr 05 '12 at 19:57
  • @Overv you don't need a callback for that... just make the app download it when it is launched the very first time (you can generate a cert on-the-fly)... as for the market interaction implement [Licensing](http://developer.android.com/guide/market/licensing/licensing-reference.html) – Yahia Apr 05 '12 at 20:19
1

Taken from my solution from this post Android Game Keeps Getting Hacked

Implement your own licensing library

I'd also refer you to check out this from Google I/O 2011 YouTube recording:

Evading Pirates and Stopping Vampires

EDIT:

The Presentation Notes from Evading Pirates and Stopping Vampires

Some basic keypoints

The presentation notes contain basic examples and direction for modification. In the youtube video though, there is discussion of server side authentication and how it relates to piracy and asset downloads etc. Specifically using a License Server, In App Billing and App Engine. But a good basis to learn from no matter how you choose to approach a solution.

Community
  • 1
  • 1
TryTryAgain
  • 7,632
  • 11
  • 46
  • 82