3

I'm trying to use the in app billing v3 and I have seen in the sample before the save() nethod this warning 

/*
 * WARNING: on a real application, we recommend you save data in a secure way to
 * prevent tampering. For simplicity in this sample, we simply store the data using a
 * SharedPreferences.
 */

Using the preference normally seems a more simply way to mantain the license status, but according yhis message make easy the tampering.

How should I store the license status? There is some way to use the Preference in some more secure way?

Note that I know that there is always a way to break any protection, but make it more difficult is better.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
AndreaF
  • 11,975
  • 27
  • 102
  • 168

2 Answers2

0

It's recommended to maintain your own server. Store and use sensitive data from there.

A way around would be to use SharedPreference. Encrypt data before storing it and Decrypt it when you use it. You need to use javax.crypto.* package to achieve this. Here is an example.

Hemanth
  • 2,717
  • 2
  • 21
  • 29
  • Is encrypt data and store to preference less secure than encrypt data and store on a file, or is the same thing?? – AndreaF Sep 27 '14 at 11:09
  • Well, It's the same thing. All shared preferences are stored as a xml file. It's located here: `/data/data/com.your.package/shared_prefs/com.your.package_preferences.xml`. Though using Shared Preferences prove to be more convenient, as data is stored as a _key-value_ pair. – Hemanth Sep 27 '14 at 11:57
0

All license related info is served for you by Google Market API - usually you don't need to deal with your own server. Information is cached in device and should be provided for you even there is no connectivity. But good practice is to store this information locally too. SharedPreferences is good way. I think that encrypt/decrypt data stored in SharedPrefercnes in private mode - is overkill, but if you fill better - do it, as arol_123 advises. Useful helper for SharedPrefernces you can find here.

VerunArt
  • 1
  • Hi, what you use to store data, completely depends on what application you are working on. For e.g. If my app has an in-app item which provides 500 gold to the user, then storing the available gold in Shared Preferences is something that I may avoid. As anyone can get access to my app's shared preferences file and may change the values. – Hemanth Sep 27 '14 at 12:15
  • And for some reason, If I can't maintain my server or don't want users to stay connected to internet all the time, I would like to encrypt it and store it in shared preferences. – Hemanth Sep 27 '14 at 12:23
  • In this particular case you are right. I talked about some bought item, such as license (AndreaF asked for). And you know, right now I think this very good practice to encrypt license state, while rooted device allows to access and modify shared preferences. – VerunArt Sep 28 '14 at 13:17