0

I want to make a demo version for my app which works only 15 minutes. what is the best way to do that?
for example I can:

  1. Start a Thread in my app which waits 15 minutes and then blocks access to the app, but if the user re-installs the app, again can work 15 minutes.
  2. Another way is to record the status in a database but again if the user cleans the data of the app could have another 15 minutes...

what is the best reliable solution?

DT7
  • 1,615
  • 14
  • 26
Soheil
  • 1,676
  • 7
  • 34
  • 65
  • 3
    There is nothing you can do locally. User can restart the app, clean the data, edit the preferences file etc. You need a server. http://stackoverflow.com/questions/10865365/how-can-i-make-a-time-limited-trial-application – Simon Oct 14 '13 at 16:13
  • 2
    Recommended: distribute the App with a reduced feature set instead. More fair for the user as well. – TwoThe Oct 14 '13 at 16:14
  • @TwoThe in some kind of apps that makes no sense :( – Soheil Oct 14 '13 at 16:17
  • @Simon if I can save the status somewhere not related to the app data, then everything is done! is it possible ? – Soheil Oct 14 '13 at 16:18
  • 1
    Yes, it's possible, but impossible to stop the user from fiddling with it. If the phone is not rooted, you cannot access anything secure from your app. if the phone is rooted, then you can - and so can the user. if the phone is not rooted, then you can store it in an insecure area - and so can the user. Best you could do is to encrpyt it but that won't stop someone who really wants to run your app. – Simon Oct 14 '13 at 16:25
  • 1
    when you are talking locally, your app would get hacked as easy as ABC. you need to remove some feature, or let some section get proceed at the server, then at the server authenticate the user. –  Oct 14 '13 at 16:30
  • 1
    You can place a file in an obscure location on the sdcard, outside of the `getExternalFilesDir()` (below `getExternalStorageDirectory()`), the file containing an installation timestamp of some sort. This file will not be deleted when the app is uninstalled, and it's not easily circumvented by a casual user. It's neither clean nor perfect, but it does work reasonably well. – 323go Oct 14 '13 at 16:52

1 Answers1

1

As you can see from the comments, it's currently impossible to secure an app without using something the user does not have access to - i.e. a server. But I thought I'd post an approach I use to protect stuff in my apps which is really difficult to get around.

It's difficult only because it's obscure and the first rule of security is that obscurity aint security. However, it will defeat 95% of freetards and will at least reduce abuse. Also. you should understand that the weakest point in your code is the bit that does the checking. You need to make this really obscure too and examine you code using something baksmali to check that it really is obscure.

This approach is very hard to crack for encrypted assets but quite easy to crack if you do something like if(myData.isGood()).

The approach.

  • Extend the ImageView class.

    Add an instance of your extended ImageView to your main layout.

    Set it's source to a resource in your app, e.g. the app icon.

    Override the onDraw() method of the extended ImageView and in there, get an array of bytes from some arbitrary location in the ImageView bitmap. Effectively, a random set of bytes.

    Draw a transparent ink to the Canvas so the ImageView is not seen.

    Encrypt/decrypt your data/string/asset using these bytes as the private key.

Simon
  • 14,407
  • 8
  • 46
  • 61
  • it's a good idea, but as you said its useful for `Encrypt/decrypt your data/string/asset using these bytes as the private key` not for a workaround for making a time-trial app! anyhow you presented great idea for security, thanks :) – Soheil Oct 14 '13 at 17:03
  • 1
    My point was that you could encrypt the start time in shared preferences then check it every minute. If the user killed the app, the shared preference value would not be overwritten so the app would still count 15 minutes. You could stop the user deleting shared preferences by enclosing it with your app and having a value in there that the app won't run without, again, encrypted. – Simon Oct 14 '13 at 17:45