I read about LVL and already implemented it in my application using a pop-up screen that checks the license .. but I'm sure you could guess that it was easily hacked. I am not trying to protect my application and be 100% proof of a fool, but I just want him to discourage cracker attempts.
Since my application requires an online connection and often retrieves data from my server, I would like to check the license on the server side, if the license is valid, it will return the data, and if not, nothing will be returned.
I read this blog post here:
“If your application has an online component, a very powerful anti-piracy technique is to send a copy of the license server response contained in the ResponseData class along with the signature to your online server. Then your server can verify that the user has a license and does not refuse to service which one or online content.
Since the license response is cryptographically signed, your server can check whether the license response has been changed using the RSA public key stored in the console of the Android Market publisher.
When performing a server-side check, you will need to check all of the following:
That the signature of the response is valid. For the license service to return a LICENSED response. That the package name and version code correspond to the correct application. So that the license does not expire (check the response of the VT license). You must also enter the userId field to ensure that the hacked application does not reproduce the license response from another licensed user. (This will be seen due to an abnormally large number of license checks coming from one user.)
I just need help to get started with server side validation. Yes, I can get the response response signature, LICENSE or NOT_LICENSED, package name, license expiration date, but how can I register on my server?
Any help to get started would be greatly appreciated. Thank you for your time.