Android Question Copy Protect APK?

JohnC

Expert
Licensed User
Longtime User
For some apps, I am not so worried about people seeing inside the APK - so this question is not about preventing someone from looking inside the APK.

What I am concerned about is that there are a lot of ways to extract the APK of an installed app from a device.

If my app is a "purchase-only" app, meaning there is NO in-app purchasing or trial version - the user needs to purchase the app before it can be downloaded and installed from the play store.

How would I protect from someone installing an extracted copy of my app's APK on an unauthorized devices?
 
Sort by date Sort by votes
A

Alex_197

Well-Known Member
Licensed User
Longtime User
What about registration on your server? Let say I have your APK, put it on my phone and started it. The first screen will be registration screen that will ask me for a code that I don't know. Even if I will get a code and register my APK with your server my new account must be accepted by your admin.
 
Upvote 0

Bladimir Silva Toro

Active Member
Licensed User
Longtime User
This is just an idea: Perform a registration validation every time you start your application using web services.

What I personally do is take the IMEI and verify whether or not it is registered in my database using a web service.

Implementing it in your application is easy.
 
Upvote 0

JohnC

Expert
Licensed User
Longtime User
Yeah, but:

1) That's not the best user experience
2) Needs a lot of time to setup a whole server registration system
3) My app would then need internet permission, which currently it does not require
 
Upvote 0

Bladimir Silva Toro

Active Member
Licensed User
Longtime User
The solution you need is to use an activation number.

Create an algorithm that with the IMEI generates a unique number for that mobile and that asks the user for an activation code.

You can save the activation code in an encrypted text file and compare it when necessary.
 
Upvote 0

JohnC

Expert
Licensed User
Longtime User

I understand your suggestion, but 99.9% of apps in the playstore don't require this extra step which I think would provide a bad user experience to force the user to do this inconvenient authorization process.

Not to mention the time to setup a website/authorization system.

Google offers an in-app purchase API, but that seems like it would tick-off users who think they are installing a free app, only to find out they need to pay for it.

It's a shame that Google doesn't offer a simple "App Purchased" API check (which would be different then in-app purchase) so my app could simply verify that the user purchased the app - it would solve this issue and make this whole issue so much simpler.
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
What about posting two apps, one with limited functionality free with a buy full version button which would open Google Play to download a full paid app.
 
Upvote 0

JohnC

Expert
Licensed User
Longtime User
hatzisn said:
What about posting two apps, one with limited functionality free with a buy full version button which would open Google Play to download a full paid app.
Click to expand...

That presents a similar problem - how would I protect the APK of the "full paid version" from being copied?

If Google could even come out with a "Trial" API, then that would even work because then I could allow users to try all the full features for x days, and because the trial period would be tracked by google servers, nobody would be able to run the app past the trial period even if they uninstalled and reinstalled the app.
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
You can always get the AndroidID but this definitely needs a back end. On the other hand logic says that if a hacker buys your app to break it then he would do it to benefit himself because otherwise there is no motive for someone to pay to benefit the others free of charge. If he would not pay then he would have a a motive to do it.
 
Upvote 0

JohnC

Expert
Licensed User
Longtime User
I'm thinking the best strategy is to offer it as a paid-only version, but make it's price low enough so users wont even bother looking for/risk trying to install an unauthorized copy of it on the net.
 
Upvote 0

MarcoRome

Expert
Licensed User
Longtime User
You can strengthen the protection of your App by following these 2 Steps:

1. This is a small excerpt from the excellent ProtectMyApp By Informatix Guide (for any purchase, and it's worth it you can contact the author Federic -> @Informatix )

ProBundle

ProBundle contains all the following libraries: - ArchiverPlusZip v1.13 Based on the Zip4j library, this library allows to add, extract, update and remove files from a zip archive. It supports encryption and decryption (standard and AES), Zip64 format and split zip archives. It is compatible...
www.b4x.com

"...It is not installed through its
original store. So we can check whether the installer of our package is correct:..."
Code:
Dim PU As PackageUtils
'For Google Play Store
If PU.GetInstallerPackageName(PU.GetMyPackageName) <> "com.android.vending" Then
ExitApplication
End If

2. The second step you can use is to fully defend the possibility that it can debug in realtime
Watch the following tutorial (Tricks Anti Debug Anti Proxy) at the following address:

Tricks Anti Debug - Anti Proxy

In addition to the good guide created some time by the dear @Informatix ( Pro Bundle https://www.b4x.com/android/forum/threads/probundle-chargeable.58754/ ) i add something else that could be useful ( i hope ) 1) CHECK IF YOUR APP IS INTERCEPTED BY A PROXY. Using a proxy is easy without even...
www.b4x.com

There are also tools that perfect everything but have a high cost like DexProtector
In any case, you will never have 100% certainty. But surely it will not be a walk for those who will have to try to modify it.
 
Upvote 0

JohnC

Expert
Licensed User
Longtime User
Hi Marco,

Thanks for the info.

#2 is to protect the APK from viewing/mod, but I'm not very concerned about that.

#1 might be useful if they modify the package name.
 
Upvote 0

JohnC

Expert
Licensed User
Longtime User
This problem could easily be solved if google offered two APIs:

1) "Is Purchased" to indicate if my particular app was purchased from the store by this particular user.

2) "Is Trial Expired" to indicate if this particular user's trial period expired for my particular app, even if the user uninstalled and reinstalled the app.
 
Upvote 0

MarcoRome

Expert
Licensed User
Longtime User
JohnC said:
Hi Marco,

Thanks for the info.

#2 is to protect the APK from viewing/mod, but I'm not very concerned about that.

#1 might be useful if they modify the package name.
Click to expand...
The 1 isnt if modify package name...check that the app has been downloaded from the store and not from other sources (like extract apk)
 
Upvote 0

Jeffrey Cameron

Well-Known Member
Licensed User
Longtime User
For:
JohnC said:
1) "Is Purchased" to indicate if my particular app was purchased from the store by this particular user.
Click to expand...
Look into the https://www.b4x.com/android/forum/threads/licensing-library.11430/ library. I know you didn't necessarily want your app to require Internet access, but that requirement is pretty ubiquitous for every app today, I only get suspicious if it also wants access to contacts/camera/etc. as well.

For:
JohnC said:
2) "Is Trial Expired" to indicate if this particular user's trial period expired for my particular app, even if the user uninstalled and reinstalled the app.
Click to expand...
the only viable method for this that could not be "hacked" would be for you to maintain an external server or API on an external website to validate user credentials. Anything short of that would be so easy to circumvent as to make it not worth your time to implement.
 
Last edited:
Upvote 0

JohnC

Expert
Licensed User
Longtime User
Upvote 0
T

Tormentor

Member
What most app has is One button. Restore purchase. When installed there is a button restore purchase it then validate the Gmail address in phone with Google purchase of you app and enable it. No need for a server it's just check against that email I your history. If copied the new guy need to do that and he haven't purchased the app and can't validate it.
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Question
Android Question Play Store - can't upload internal testing app without privacy policy
Replies
4
Views
1K
Shelby
E
  • Question
Android Question Possible to hide parts of code?
Replies
7
Views
2K
Erel
D
  • Question
Android Question Prevent APK from Unauthorised Reading
Replies
13
Views
1K
DawningTruth
D
  • Question
Android Question Is it possible to decompile an installed app?
Replies
12
Views
3K
MarcoRome
M
  • Question
Android Question App security, Encryption?
Replies
3
Views
899
mrawi
M
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…