Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android Offload license validation to a trusted server

I've been reading about LVL and have implemented it in my app before with a splash screen checking the license.. but I'm sure you could've guessed it was easily cracked. I'm not trying to secure my app and be 100% fool proof but just want to make it discouraging for crackers to attempt.

Since my app requires an online connection and often fetches data from my server I was wanting to implement license checking on the server side, if license is valid it will return data, if not, nothing will be returned.

I've read this blog post here:

"If your application has an online component, a very powerful technique to prevent piracy is to send a copy of the license server response, contained inside the ResponseData class, along with its signature, to your online server. Your server can then verify that the user is licensed, and if not refuse to serve any online content.

Since the license response is cryptographically signed, your server can check to make sure that the license response hasn’t been tampered with by using the public RSA key stored in the Android Market publisher console.

When performing the server-side validation, you will want to check all of the following:

That the response signature is valid. That the license service returned a LICENSED response. That the package name and version code match the correct application. That the license response has not expired (check the VT license response extra). You should also log the userId field to ensure that a cracked application isn’t replaying a license response from another licensed user. (This would be visible by an abnormally high number of license checks coming from a single userId.)"

I just need help to get started on how to perform server-side validation. Yes I can get the response signature, LICENSE or NOT_LICENSED respond, package name, license expiration, but how do I check in on my server?

Any help to get started would be greatly appreciated. Thanks for your time.

like image 944
user708905 Avatar asked Apr 14 '11 23:04

user708905


1 Answers

This may help you get started: android-market-license verification php project

like image 186
ktambascio Avatar answered Sep 27 '22 18:09

ktambascio