Android Tutorial Protect your Android application with the Licensing library

The licensing library allows you to use Android market licensing service to verify that the user is allowed to access your application.

Your applications sends a request to the local market application. The market application contacts the market server and returns the result. The result is cached based on the market rules.

It is recommended to go over Google's documentation related to the licensing method: Application Licensing | Android Developers

Configuring the licensing library is simple. You should first have a publisher account in the market.
The license key is available in Google Play developer console under Development tools - Services & APIs.

The licensing library and service will not prevent a dedicated hacker from hacking your application. It will however make it more difficult.

The first step is to initialize a LicenseChecker object:

Sub Activity_Create(FirstTime As Boolean)
   Dim lc As LicenseChecker
   Dim p As PhoneId
   lc.Initialize("lc", p.GetDeviceId, publicKey, "kljdflkf".GetBytes("UTF8"))
   lc.SetVariableAndValue("test_1", "some secret value")
   lc.CheckAccess
End Sub

The result of the licensing check is cached locally. The cache is encrypted with AES algorithm. In order to avoid users from tampering with the cache and copying the cache to different devices, the device id is used together with the package name as the password.

Note that the same user will be able to download your application to other devices running with the same user account.

PhoneId (from the Phone library) requires the READ_STATE permission. The protection will still work if you pass an arbitrary string. It will be weaker however.
The Salt parameter should be an array of bytes with some random values (the values should be the same on each run).

Edit: It is recommended to use the alternative id method as described here: http://www.b4x.com/forum/basic4andr...oid-device-unique-id-alternative-phoneid.html

The next step is to call lc.CheckAccess. This in turn calls the market application or the local cache and checks whether the user is allowed to access the program.
One of the following events will be raised when the result arrives: Allow, DontAllow or Error (ErrorCode As String).
It is up to you to handle the event subs as required.

LicenseChecker.SetVariableAndValue
A simple way to hack an application is to "jump over" the checking code. For example a hacker might remove the call to CheckAccess and instead call your Allow event sub.
In order to make it a bit more complicated you can call LicenseChecker.SetVariableAndValue.
For example:

lc.SetVariableAndValue("test_1", "some secret value")

The above code will set the value of a process global string value in the main activity named test1 to "some secret value" if the check was successful. You should not use or test the value of test1 in the Allow event sub as it will be too obvious. Instead you should use it later in your program.
You can be creative and pass the name of the variable or the value by using BytesToString or some other way.
As this variable is accessed in a dynamic way it will fail when the code is obfuscated. Therefore you need to include an underscore in the variable name to prevent it from being obfuscated. For example: test_1.
Note that SetVariableAndValue method will fail when running in rapid debug mode as the variable is part of the "debugger engine".

A more complete example:

Sub Process_Globals
   Dim publicKey As String
   publicKey = "MIIBIjANBgkqhAADSFEFEFkiG9w0BfW/cGhTbtIs6QIDAQAB..."
   Dim test_1 As String
End Sub
Sub Globals

End Sub
Sub Activity_Create(FirstTime As Boolean)
   Dim lc As LicenseChecker
   Dim p As PhoneId
   lc.Initialize("lc", p.GetDeviceId, publicKey, "kljdflkf".GetBytes("UTF8"))
   lc.SetVariableAndValue("test1", "some secret value")
   lc.CheckAccess
End Sub
Sub lc_Allow
   Log("Allow")
End Sub
Sub lc_DontAllow
   Log("DontAllow")
   ToastMessageShow("Closing application.", True)
   Activity.Finish
End Sub
Sub lc_Error (ErrorCode As String)
   Log("error: " & ErrorCode)
   ToastMessageShow("Closing application.", True)
   Activity.Finish
End Sub
Sub Activity_Pause(UserClosed As Boolean)
 
End Sub
Sub Activity_Resume

End Sub

The library is available here: http://www.b4x.com/forum/additional-libraries-official-updates/11430-licensing-library.html

 

[slowtime]

Sorry.

My problem was in the device cache.

When I clear cache all run right.

Sorry again.

Ciao

 

[cmweb]

Hello,

how can I test my application in Emulator (Android Virtual Device Manager), when my App alread has the license check included?

The emulator seems to don't allow to create a Google account on the emulator, so the app always receives "don't allow" and closes the app.

I would like to test my app in emulator without always have to disable the license check code...

Any hints?

Best regards,

Carsten

 

[Erel]

Something like:

Dim p As Phone
If p.Model = "sdk" Then
   'emulator -> jump to Allow
        lc_Allow
Else
   'check license
End If

 

[cmweb]

Thanks, Erel!

That works fine...

Best regards,

Carsten

 

[timo]

I don't know if I tested it right, but I noticed that setting it in 'FirstTime' and closing with activity.finish, at the second start you access the app without problems because it remained resident (no force-close) and went over the lc.check. (I didn't add a SetVariableandValue).Is that a right behaviour?

 

[Erel]

You have several options. You can call ExitApplication instead of Activity.Finish or you can load the layout and actually start the program from lc_Allow.

 

[eps]

Fantastico! :icon_clap:

Just looking to integrate this into my first Paid For App....

 

[bluedude]

Hi Erel,

I never published an Android app. (we only use internal apps.) and I was wondering if I can test the Licensing Library without uploading an apk to the market.

Does the test console only work if an app. is uploaded to the market?

Cheers,

 

[Erel]

You only need a developer account. You do not need to upload the APK to the market.

 

[bluedude]

Non Market managed

Erel,

I'm sure I configured everything ok and also use an account on the Android market on my phone that is equal to my market publisher account.

I have NOT uploaded an APK because i want to test it without publishing an app.

However, it does not work. I have put Licensed in the Test console but the app. gives me back Non Market Managed.

Any suggestions.

 

[Erel]

Not sure. I did test it with an application not loaded to the market.

Make sure that you are logged in. Open the Market application.
Also try to sign the application with a non-debug key (though it is probably not related).

 

[bluedude]

Done all that

Erel,

I am logged in as indicated. I use the Android Market a lot and with the correct user account.

So when I start the License Manager demo I have been using the Android Market with the correct account.

I never use a debug key, signed it with a real key.

Any other suggestions?

Cheers,

 

[Erel]

You can upload the application to the market without publishing it (not sure if it is published automatically and then you need to press on the "unpublish" button).

 

[bluedude]

Test console

Just to confirm, this means that the Test console and the License Manager does not work without uploading an APK?

Cheers,

 

[Erel]

Just to confirm, this means that the Test console and the License Manager does not work without uploading an APK?

It did work for me. This is a possible workaround.

 

[timo]

Just to confirm, this means that the Test console and the License Manager does not work without uploading an APK?

Cheers,

Same problem. Logged, but without loading the apk it doesn't work.

 

[Brad]

I just added this to my app and it works great!

Timo, there is no need to upload your app. First thing is to set the License Test Response to something other then "Respond normally". You have to click the 'save' button after changing the value. Clear your app cache and give it a try.

 

[eps]

This worked for me, without uploading the App to the Market. Of course the device I am using is the one with my gmail registered to it. Other registered accounts can be added.

 

[Highwinder]

Library effectiveness question

Erel,

The more I look into it, the more I see that app piracy is a rampant epidemic, and I need to know if the licensing library stops the following practice:

The user purchases the app and installs it.
The user runs the app, presumably allowing the license cache file to properly set itself.
They then quickly back up the app with a 3rd party backup program.
They then cancel the purchase before the 15 minutes are up.
They can then restore the app from the backup - potentially including the license cache file.

Does the licensing library protect against this practice?

Thanks,

- Highwinder

 

[Erel]

The cache file expires after a certain time set by the market server. So this method will not work.