3

I am planning to use in-app billing to enable some features after user paid. I would like to do the following steps:

  1. Follow google example to add in-app purchase on it.
  2. After user paid, add a boolean flag in private SharedPreferences.
  3. Do not recheck if user paid or not in future.

I would like to know more about the security of in-app billing. My question is:

  1. That is a easy crack (just download a program and executed, done) for android licensing library, is that similar problem for in-app billing?
  2. Is private sharedPrefences secure enough? hashing the boolean variable seems to be useless?
  3. Is it easy to hack the apk file, for example, just decomplied the apk, find the boolean logic to 1>0, i.e. alway true, and then recompile the apk?

I found there was AndroidBillingLibrary for easy implementation, but it is outdated. Is that any good alternative?

manhon
  • 683
  • 7
  • 27

1 Answers1

2

Do not use widely available sample code as is (it is usually buggy as well), re-write, enhance and customize for your app.

As usual, on rooted devices the user can edit any file. Thus they can enable your premium features by changing (or copying from another device) the app's preferences. You can make this harder by obfuscating the preference using a device-specific key (derived from ANDROID_ID, IMEI, MAC address, or a combination thereof).

Decompiling is always possible, you can obfuscate your license checking logic to make it a bit harder for wannabe crackers. A dedicated person will find a way around it after a while, you can only slow them down.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84