Android Question Restrict an app's use to the person who paid for it... need a unique id

[MegatenFreak]

Hello.
My app uses in-app purchase to make it full-version. Now, I need to make sure that full-version app cannot be given to others.
HERE is my solution: If I can get a unique identifier for that device, I'll upload it into my online database as a 'registered' device. Now, every time the app runs, I'll check if it's among the registered devices. otherwise it means it's running from another device, so I won't allow it.
The problem is, though, there doesn't seem to be a guaranteed way to get a globally unique id for the device, considering android's security protocols since android 6. You can't get the MAC address or IMEI or anything. Even Advertising IDs will change in nature in late 2021.
Can anyone help me on this? If I can't extract a unique id, is there any other way I can prevent my app from being copied and used without payment?
Thank you so much.

 

[DonManfred]

If I can get a unique identifier for that device

You´ll not get any reliable unique ID.

Use in-app billing and check it here if the puchase is valid.

 

[MegatenFreak]

It doesn't have to be 100% unique. The number of ppl using the app probably won't exceed a million...
I just need to make sure close friends can't give it to each other, so even an id that has a low chance of being similar in those conditions would work.
Even if i use the in-app billing check, what if one person shares his google ID and pass with his friends and they all use it in the app? then the app will think it's purchased every time.

P.S. Is there a way to get an identifier for a specific installation of an app? so that if it's installed again, that identifier changes?

 

[alwaysbusy]

shares his google ID and pass with his friends and they all use it in the app

You probably do not have to worry about that as I think all their other apps they bought would stop working.

 

[Robert Valentino]

For the longest time I have been trying to have a unique identifier that the software is not only locked to the user but device.

The problem with Googles system is that if users are willing to share user id (example: [not real email] [email protected]) and password.
Multiple people on multiple devices can share the software.

In my case that is a real problem. My average user cost (subscriptions) is around $80 - $100 a year.
Now that sounds like a lot. But my users run Brackets in there bowling League using my software.
In a league of 20 teams the user would run 20-30 brackets on any given league night, now most are running brackets / sidepots in more than 1 league a week.
They make usually $5 per bracket (thats $100 or more a night) so they make their money back usually in 1 night if not 2 league nights.
I've had users share their DBs to debug a problem and I could see how much they take in and pay out (some are making over $200 per league night and there are around 36 league nights not counting summer leagues, weekend tournaments...

So if they share the software on multiple devices with friends, really hurts my bottom line (cause all I get are the yearly subscription fees - which is fine by me).

I guess I am kind of guilty of the same thing. My wife and I have a common Email that is always our first google account this way when we go to google calendar anything we schedule shows up on that account. We have a old ViewSonic monitor that runs a old version of Android on the Wall (Kind of like the calendars people use to put to schedule events for the family) All this monitor does is run Google Calendar so we can do the same thing a Paper device did (but also have it with us on our phones).

To me you should only be able to run your subscriptions ONLY on the device you purchased them on.
If you want to move to another device. Find, but the old device should stop supporting them (no subscriptions running on multiple devices).
Why Google doesn't close this hole in their design (would generate more subscription fees for them) is beyond me

I let my users move from device to device for a small fee of $3.00 (just because there is always seems to be a problem [98% usually their end])

Use to use Android ID, AD_ID (now going away), and now have added WiFi ID something has to match. Spend more time on this then I would like.

There is no easy solution because whenever a user resets their device Android ID can change

If you come up with something new to make the software locked to a device please share it.

BobVal


PS: Forgot to say, right now I use Firebase Storage and when I user purchases a device license I upload all the information I can that I think is Unique and when my software loads I go to firebase and get this information (something needs to be the same to be valid - Android ID, WiFi ID, etc

 

[Robert Valentino]

You probably do not have to worry about that as I think all their other apps they bought would stop working.

This is NOT True. Everything works FINE - Just try it. Take your Wife's, Girl friends, Kids device and share something you purchased adding your Account to their device

 

[alwaysbusy]

This is NOT True.

Well, that sucks! I always thought this was one of the things preventing a user from sharing his credentials. Which is of course utterly stupid to do, but if it can be done, people will.

 

[Robert Valentino]

Just to verify what I said was true (and nothing has changed with SDK 30 or above devices). I added one of my accounts to my wifes device and installed this app I use called Radar to see if the subscriptions (I have - No Ads, Hurricane tracking) would be installed on her device. Sure enough, Her device works, my device works and ALL my testing devices work. Just ticks me off to no end

 

[73Challenger]

Thoughts in the "not perfect but better than nothing" category.... in addition to the "finger print" suggestions @Robert Valentino suggested above. Some other potentially unique identifying information might be Device name + type + screen size, Contacts, Installed Apps, GPS/Geolocation information. Alone or combined they are likely to be unique across phones. They are also likely to change so some sort of "match threshold" may be required. There would likely be edge cases, like the user gets a new phone, that may require support intervention. Messy, but without a hardware id it's a difficult nut to crack.

I did a quick google search and found this as well. Not sure if it will help, I haven't analyzed it's capabilities but there is an api for an "Instance ID"
https://developers.google.com/instance-id/

 

[Robert Valentino]

WOW, this sounds GR8 will have really look into this

 

[Robert Valentino]

The Instance-Id has been replaced by https://firebase.google.com/docs/re.../firebase/installations/FirebaseInstallations

Seems this works with the B4i (https://www.b4x.com/android/forum/t...ebase-instance-id-version.116297/#post-726617)

But haven't seen anything (yet - still searching) on how to get it to work on Android

 

[jerry07]

I no longer worry much about restrictions, I think less is more.
Very complicated restriction or validation do more to annoy paid users then stop very determined crakerz.
From my experience people that steal software would never pay for that software in first place.
People that pay for software don't like to share it most of the time.
Few people that share typically is limited to small percentage of users.
I would worry more about providing support or data to unauthorized users but that is easier to solve.

Lastly for business or productivity software if it helps people save time or money they are happy to pay.
I don't know if all above is true for entertainment software (games).


I think what I'm trying to say don't overbuild it.

 

[jerry07]

I do have to say that your issue with bowling sounds little unique. I don't even understand what the issue is?
So each team should have their own license to run your app?

 

[Robert Valentino]

I would like to believe you are right, but I know from my own experience this isn't always the case.
I've actually had users contact me for support that weren't the right user. "Oh I didn't realize I couldn't/shouldn't be doing that" is the common response.
WHAT???

Now my software has NO ADs and is priced right to make anyone using it money and I would agree that most people are valid.
But I've been to bowling alleys enough and have seen people that have a old tablet they are storing in a locker sharing with someone else.
Nothing I can do about this. But I surely do not want to turn the abnormal into the common. My software has been around since DOS days.
In the mid 90's when laptops became common, people were putting in bowling lockers and sharing with another person.

Some people just think it's their right to use and not pay (and I am not talking just about my software - this goes for Music, DVD, etc)

So I try to not hinder the ones paying but annoy the non payers.

If everyone bootlegged B4A in its early days (before becoming free) we may not even be having this conversation here.

I guess the real question is how much does your APP charge for subscriptions?

If you wanted the ability to run 50 brackets at a time that subscription would cost $150
But if you ran 50 brackets once you would make $250 and you could run it as many times as you can for the whole year.

I have at least a dozen users with the ability to 100+ brackets.
If they run a tournament the way we use to they run a 7 game tournament and brackets games 1, 2, 3 and payout during game 4 and run them again 5, 6, 7
We use to have over 100 brackets the first set and approach 150 the second set.
At $5.00 profit per bracket, that's over a $1000 for running a one day tournament. Not counting people always pinch the tournament prize fund.

I give away High Game, High Series & High Game Each Game as the free stuff in the APP.
Again No ADs (I have a problem with ADs - it isn't free if you are beating me with ADs).

Free basics for league bowlers. Anything extra is a subscription.

But every APP is different and has different requirements.

 

[Robert Valentino]

No not each team.
One person in the league or leagues has the software and is running it for the league or leagues or tournaments.

I guess you really need to be a bowler to understand or try the APP - Bowling Brackets / Sidepots


NOTE: Bowling Brackets are not like the Basketball bracket.
There are 8 bowlers to a bracket that happens over 3 games.
Bowlers go in as many times as they want. The software tries to seat them best it can with less amount duplicate matchups.
I am looking a users example that has 33 players in 25 brackets (1 player in All) so on that night they made 25 * $5 = $125 while bowling in there league.

I've attached a copy of one of the reports After 1 game has been played. Not sure but maybe this will give you a better understanding.

But this will be my last post on this. Filling the boards with this is not right

 

[MegatenFreak]

other potentially unique identifying information might be Device name + type + screen size, Contacts, Installed Apps, GPS/Geolocation information.

That's a great idea. Um... how do I get the device type/name/screen size??
Never mind! Got it! Using the bluetooth device name is great, unless the user decides it's a bad idea to give the app permission to do so!

 

[Indic Software]

My take on this is to, retrieve Motherboard serial #, BIOS serial # and Processor ID using WMI (in case of windows). Hash it using MD5 now extract the left (or right) most 32 or so characters and use it as a Unique ID for that PC.

Generally this is guaranteed to be unique always.

 

[pliroforikos]

The Google Services Framework Identifier (GSF ID) is a unique 16 character hexadecimal number that your device automatically requests from Google as soon as you log to your Google Account for the first time. For a specific device, the GSF ID will change only after a factory reset.

See here