As I understand it at the moment, userId gets confused even on the basis of each application, so that you can uniquely identify users in the application, but do not indicate which user it is, and not the same user bought another application.
But I'm not sure that you really need to identify these clients based on userId . If you have a server that works anyway, the best way to protect your application is to check the server for a license.
- App -> Server: give me a new nonce
- Server -> Application: here is a safe random exception
- Application -> License service: check user license with this safe random inactivity
- Licensing Service -> Application: signed license response, including nonce repetition
- App â Server: check license signature with secret key (only on the server)
- Server â Application: reject or provide an arbitrary token for access, etc.
In this case, you will not authenticate users, even if they are busy with your LVL verification code.
However, you can, of course, introduce vulnerabilities after step 6 if you are not looking at your step. However, if you are currently using standard LVL code and an App-side license with the secret key stored in your application, switching to the mechanism described above will be a big improvement (even a script to remove the standard LVL code check from applications )