Android Question Copy Protect APK?

[JohnC]

For some apps, I am not so worried about people seeing inside the APK - so this question is not about preventing someone from looking inside the APK.

What I am concerned about is that there are a lot of ways to extract the APK of an installed app from a device.

If my app is a "purchase-only" app, meaning there is NO in-app purchasing or trial version - the user needs to purchase the app before it can be downloaded and installed from the play store.

How would I protect from someone installing an extracted copy of my app's APK on an unauthorized devices?

 

[Alex_197]

What about registration on your server? Let say I have your APK, put it on my phone and started it. The first screen will be registration screen that will ask me for a code that I don't know. Even if I will get a code and register my APK with your server my new account must be accepted by your admin.

 

[Bladimir Silva Toro]

This is just an idea: Perform a registration validation every time you start your application using web services.

What I personally do is take the IMEI and verify whether or not it is registered in my database using a web service.

Implementing it in your application is easy.

 

[JohnC]

Yeah, but:

1) That's not the best user experience
2) Needs a lot of time to setup a whole server registration system
3) My app would then need internet permission, which currently it does not require

 

[Bladimir Silva Toro]

The solution you need is to use an activation number.

Create an algorithm that with the IMEI generates a unique number for that mobile and that asks the user for an activation code.

You can save the activation code in an encrypted text file and compare it when necessary.

 

[JohnC]

The solution you need is to use an activation number.

Create an algorithm that with the IMEI generates a unique number for that mobile and that asks the user for an activation code.

You can save the activation code in an encrypted text file and compare it when necessary.

I understand your suggestion, but 99.9% of apps in the playstore don't require this extra step which I think would provide a bad user experience to force the user to do this inconvenient authorization process.

Not to mention the time to setup a website/authorization system.

Google offers an in-app purchase API, but that seems like it would tick-off users who think they are installing a free app, only to find out they need to pay for it.

It's a shame that Google doesn't offer a simple "App Purchased" API check (which would be different then in-app purchase) so my app could simply verify that the user purchased the app - it would solve this issue and make this whole issue so much simpler.

 

[hatzisn]

What about posting two apps, one with limited functionality free with a buy full version button which would open Google Play to download a full paid app.

 

[JohnC]

What about posting two apps, one with limited functionality free with a buy full version button which would open Google Play to download a full paid app.

That presents a similar problem - how would I protect the APK of the "full paid version" from being copied?

If Google could even come out with a "Trial" API, then that would even work because then I could allow users to try all the full features for x days, and because the trial period would be tracked by google servers, nobody would be able to run the app past the trial period even if they uninstalled and reinstalled the app.

 

[hatzisn]

You can always get the AndroidID but this definitely needs a back end. On the other hand logic says that if a hacker buys your app to break it then he would do it to benefit himself because otherwise there is no motive for someone to pay to benefit the others free of charge. If he would not pay then he would have a a motive to do it.

 

[JohnC]

You can always get the AndroidID but this definitely needs a back end. On the other hand logic says that if a hacker buys your app to break it then he would do it to benefit himself because otherwise there is no motive for someone to pay to benefit the others free of charge. If he would not pay then he would have a a motive to do it.

I'm thinking the best strategy is to offer it as a paid-only version, but make it's price low enough so users wont even bother looking for/risk trying to install an unauthorized copy of it on the net.

 

[MarcoRome]

You can strengthen the protection of your App by following these 2 Steps:

1. This is a small excerpt from the excellent ProtectMyApp By Informatix Guide (for any purchase, and it's worth it you can contact the author Federic -> @Informatix )

ProBundle

ProBundle contains all the following libraries: - ArchiverPlusZip v1.13 Based on the Zip4j library, this library allows to add, extract, update and remove files from a zip archive. It supports encryption and decryption (standard and AES), Zip64 format and split zip archives. It is compatible...

www.b4x.com

"...It is not installed through its
original store. So we can check whether the installer of our package is correct:..."
Code:
Dim PU As PackageUtils
'For Google Play Store
If PU.GetInstallerPackageName(PU.GetMyPackageName) <> "com.android.vending" Then
ExitApplication
End If

2. The second step you can use is to fully defend the possibility that it can debug in realtime
Watch the following tutorial (Tricks Anti Debug Anti Proxy) at the following address:

Tricks Anti Debug - Anti Proxy

In addition to the good guide created some time by the dear @Informatix ( Pro Bundle https://www.b4x.com/android/forum/threads/probundle-chargeable.58754/ ) i add something else that could be useful ( i hope ) 1) CHECK IF YOUR APP IS INTERCEPTED BY A PROXY. Using a proxy is easy without even...

www.b4x.com

There are also tools that perfect everything but have a high cost like DexProtector
In any case, you will never have 100% certainty. But surely it will not be a walk for those who will have to try to modify it.

 

[JohnC]

Hi Marco,

Thanks for the info.

#2 is to protect the APK from viewing/mod, but I'm not very concerned about that.

#1 might be useful if they modify the package name.

 

[JohnC]

This problem could easily be solved if google offered two APIs:

1) "Is Purchased" to indicate if my particular app was purchased from the store by this particular user.

2) "Is Trial Expired" to indicate if this particular user's trial period expired for my particular app, even if the user uninstalled and reinstalled the app.

 

[MarcoRome]

Hi Marco,

Thanks for the info.

#2 is to protect the APK from viewing/mod, but I'm not very concerned about that.

#1 might be useful if they modify the package name.

The 1 isnt if modify package name...check that the app has been downloaded from the store and not from other sources (like extract apk)

 

[Jeffrey Cameron]

For:

1) "Is Purchased" to indicate if my particular app was purchased from the store by this particular user.

Look into the https://www.b4x.com/android/forum/threads/licensing-library.11430/ library. I know you didn't necessarily want your app to require Internet access, but that requirement is pretty ubiquitous for every app today, I only get suspicious if it also wants access to contacts/camera/etc. as well.

For:

2) "Is Trial Expired" to indicate if this particular user's trial period expired for my particular app, even if the user uninstalled and reinstalled the app.

the only viable method for this that could not be "hacked" would be for you to maintain an external server or API on an external website to validate user credentials. Anything short of that would be so easy to circumvent as to make it not worth your time to implement.

 

[JohnC]

For:
Look into the https://www.b4x.com/android/forum/threads/licensing-library.11430/ library. I know you didn't necessarily want your app to require Internet access, but that requirement is pretty ubiquitous for every app today, I only get suspicious if it also wants access to contacts/camera/etc. as well.

Now that method seems promising - I will check it out - thank you!

 

[CyberDroidWare]

That is the sad reality of APK's. Reverse engineers can always unpack the logic.

Simon Smith
Expert programmer and instructor

 

[rworner]

Another consideration is when a paid user upgrades their phone.

 

[Tormentor]

What most app has is One button. Restore purchase. When installed there is a button restore purchase it then validate the Gmail address in phone with Google purchase of you app and enable it. No need for a server it's just check against that email I your history. If copied the new guy need to do that and he haven't purchased the app and can't validate it.

 

[DawningTruth]

Watching...