-1

I want to prevent someone from simply rooting the device and copying the app to redistribute. How do I make a downloaded device "account locked"?

My idea is to implement an encryption algorithm (one-way) that hashes the user's phone number and the execution of the code will perform a hash check every time (so it would fail if you use someone else's app on your phone).

However, since the app is downloaded the same way, if I implement the phone number hashing at first launch, the attacker could simply never launch the app and rip off the base version of the downloaded package.

So my question is that is there a way in the Google Play Store to provide the app with one of its variables changed? Or a clever way to ensure an installed application would not work anywhere else to prevent a direct copy package rip off? Maybe force a first launch so it configures itself immediately after download?

Ying Li
  • 2,500
  • 2
  • 13
  • 37

1 Answers1

1

There's a short computer science answer, and a longer more helpful answer. The short answer is "If your app relies on a server to run, then it is easy. If your app runs entirely on the device it is theoretically impossible."

If your app relies on a server it's a simple process:

  1. Use Google Play License Verification Library (LVL) to get a response cryptographically signed by Google to say this account bought this app. Do this in client side code on the app.
  2. Send that response to your server, and check the signature. If it doesn't match, don't send the needed information to your app.

Because the user can't interfere with Google servers or your servers, and your app requires the server response to function, this is unbreakable.

However, if you check the response on the client side, or your app can work without the server response this can't be done (theoretically). An attacker can always remove the call to Google Play, the verification code, or fake your server response. In this case you are in arms race with attackers. Most attackers are pretty lazy. If you use Google Play License Verification Library (LVL) to check your app was bought from Play, use ProGuard or another optimizer, and do a little bit of obfuscation to hide your code, some attackers can attack, but most won't bother, unless your app/game is super popular. Another useful technology is the SafetyNet attestation API which tells you if your app has been tampered with. But again, if you don't check the results server side it can be beaten, so client side is just an obfuscation arms race.

Beware, relying on something like phone number is a really bad idea:

  • what about Tablets which don't have a SIM card?
  • what about users with Dual SIMs?
  • what about users who change phone numbers or networks?
  • what about users who own more than one phone, who only need to buy your app once?
Nick Fortescue
  • 13,530
  • 1
  • 31
  • 37
  • I was thinking app-side protect cause servers add overhead cost. I don't mind an arms race cause I plan on adding my own encryption so any hacker would have to decrypt it manually and that should give me enough first-to-market lead. There will be a section in the agreement that tells the user each payment is per phone number. Maybe I could make it Gmail account tied. If servers are involved, I would basically hide the real code on server and do purchase verification server side. The Google play purchased app is essentially just a downloader that would get the app once you pass authentication. – Ying Li Sep 21 '18 at 17:31