5

So, I've setup the Android LVL with my application to check for licensing. This seems to work great with the Test Accounts. The problem is, if I turn the phones internet connection off and try to run the app, the licensing check will fail and tell me it's NOT licensed!

One thing is, why does it tell me the application is NOT licensed and more importantly, how can I have the application 'remember' if it is licensed or not.

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
ingh.am
  • 25,981
  • 43
  • 130
  • 177

2 Answers2

5

Apparently the answer to this is that the license is not cached when testing, but is when on the market. I created a small app to test this and it works!

ingh.am
  • 25,981
  • 43
  • 130
  • 177
  • 1
    Since this I have found that it doesn't cache at all as I've had times when the user is offline and the app wont validate. Any suggestions? – ingh.am Mar 18 '11 at 09:19
  • 5
    Looks like it's the case : test responses are not cached but real responses are cached .. http://groups.google.com/group/android-developers/browse_thread/thread/a7861900d99de4f8# – Snicolas Jun 09 '11 at 13:46
4

Sorry but, I too confirm that airplane mode results in a failure to rely on any cache. Theoretically, if the app was online and pinged the license server right before going offline, then it might work. However, if the phone is offline for any significant amount of time, there is no caching mechanism. Just look at the code. I filed a bug against android : http://code.google.com/p/android/issues/detail?id=12978

Because my users of Shout n' Snap shoutnsnap.com are ALREADY confirming this stupid behavior.

I've made a workaround using a 2 part challenge on the client side. EG:


IF LICENSED:
  PERSIST random key as LK
  PERSIST obfuscated random key as OLK
ELSE:
  if (deobfuscate(OLK) == LK) 
    GRANT ACCESS
  ELSE:
    GET LOST

Code is here: http://code.google.com/p/androidbest/

hunterp
  • 15,716
  • 18
  • 63
  • 115
  • Do you think it's a bad plan to store in a database somewhere the result of the licence check and then use that if it's available? – ingh.am Dec 08 '10 at 10:21
  • Actually, I stored a randomly genereated uid,AND and obfuscated version of it. If deobfuscate(uid) == uid then its good to go. The only way to have the deobfuscation is to actually have the code. For further protection, it would be good to obfuscated your apk as well. – hunterp Dec 08 '10 at 13:20
  • This technique sounds good as it patches a hole in LVL but it's exactly the same as storing a boolean as the result of licence check, or two booleans let's say, and encrypted. By this I mean, if someone can put his hand on the two strings LK and 0LK, and had them automatically in the database (or obfuscated preferences), it will get the licence check passed. – Snicolas Jun 09 '11 at 12:44
  • 1
    Adding this only when people are offline is not that bad, and giving priority to true licence check when it is available sounds a good complement. – Snicolas Jun 09 '11 at 12:56