All geek questions in one place

Can an in-app purchase prevent software piracy?

I understand that the developer is releasing paid apps on the Google Android Market. Very soon, a paid application will be distributed for free through another Android Market. This is especially true of piracy when it comes to the Chinese market. For example, Where is my water (Chinese)

I was wondering if buying an In-App could prevent such a piracy problem?

The purchase of additional goods through the purchase through the application

  • A user buys additional items through an In-App purchase.
  • The secret key was written for users. The secret key is generated based on the Google user account used during the purchase of the In-App. The reason we do not use the equipment identifier is because we want the same user to be able to use In-App purchase items, even if they use a different device.

Private key check

  • This way, validation will always be performed when the user tends to use additional elements. Even when the user distributes the secret key to others, it will not work. Because the secret key is valid only for this particular user.

I was wondering if this practice is a common practice to deal with the problem of piracy of Android apps? Since I do not see much discussion regarding this technique. Not sure if I lost my pit pad?

+4
source share
2 answers

Something like that:)

It mainly depends on the type of purchase in the application: if the content (images, videos, etc.) is downloaded from your servers, you can do checks on the server, and if someone does not hack your server, it will be almost impossible to deceive.

To add / enable functions that are already in the application, you need to save somewhere the list of items that they bought, so the application knows which functions to enable. If you just save it in the file / shared / preferences / DB, someone can just edit them (on the root device, of course) and add whatever they want. Therefore, you need to obfuscate the element’s cache to make it harder to change. One way to do this is to encrypt it on disk and decrypt it in the application. If you use the same key for all devices, it would be trivial to simply copy the file / database to another device to enable functions without payment. This is why you need to extract the key from something specific for a particular device (MAC address, ANDROID_ID, etc.). If you can use your Google account to get the key, but you need to check with the AccountManager that the user really has an account registered on their device (this requires additional permission).

Regarding the use of the equipment identifier, the items / subscriptions are tied to the Google user account, so you can use RESTORE_TRANSACTIONS on any device to receive purchased items. Using a hardware identifier to obfuscate an element cache is not a problem, since it is used only to store things on disk, and not to obtain the purchase status and, thus, does not prevent the user from using the application on multiple devices.

+4
source

In general, in-app purchases are more protected from piracy. The fact that the purchase takes place inside the game makes it difficult for a pirate to replace parts of the software with other hacked parts. In addition, the in-app purchase is less flexible and allows the use of redundant protection methods.

The method you described may be fine, depending on how well you hide the private key. It’s true that the key cannot be used with others, but it will be used on the same account again and again. Our recommendation would be:

  • Authentication with your own server through TLS / SSL
  • Get a secret key that will be valid for only one transaction
  • Use the secret key for the transaction and forget it imediatly

It will be much harder to crack.

Good luck and let me know if you need more help.

+2
source

Source: https://habr.com/ru/post/1436345/

More articles:


All Articles