AESObfuscator for Android Licensing

Question

I'm using AESObfuscator in the ServerManagedPolicy for android licensing. Until now, I've created the deviceId like this:

String deviceId = Secure.getString( getContentResolver(), Secure.ANDROID_ID );

In all the examples on the internet it is done like this, but sometimes it is stated that it isn't very safe, but no other way is described. I have read that ANDROID_ID can be easily changed or can even be null, so I really want to have another way to get a unique id. The licensing failed more than once for someone who has bought my app and I'm quite sure that it has to do with this, otherwise it can only be a problem with google, what I really doubt.

So how can I do this? Just create a random hash and add it to the deviceId (and of course store it somewhere..?)

Answer 1

What do you mean by 'safe'? It's just a matter of obfuscating your preferences to make it harder to edit on a rooted device. The ANDROID_ID can change if you reset your device (delete all data), or if someone edits it on a rooted device. The first case is not really a problem, in the second, you won't be able to decrypt(de-obfuscate) the stored preferences, so you just treat this as an error. If it is really null, you should think of some sort of a fallback value.

The point here is not to have a unique ID, but to use some device-specific data to obfuscate the preferences, so that you cannot just copy them to another device. You could use a hash of the IMEI, the WiFi adapter MAC address or anything else device specific, but you have to handle the case of the particular property not being available (e.g., WiFi-only tablets don't have an IMEI, etc.)

Use an error reporting library such as ACRA or BugSense to track the actual errors and understand the real cause behind licensing failing. Sometimes it's the Google infrastructure's fault, so you should try to handle this as well (cache licensing status, etc.)