Android Tutorial Protect your Android application with the Licensing library

The licensing library allows you to use Android market licensing service to verify that the user is allowed to access your application.

Your applications sends a request to the local market application. The market application contacts the market server and returns the result. The result is cached based on the market rules.

It is recommended to go over Google's documentation related to the licensing method: Application Licensing | Android Developers

Configuring the licensing library is simple. You should first have a publisher account in the market.
The license key is available in Google Play developer console under Development tools - Services & APIs.

The licensing library and service will not prevent a dedicated hacker from hacking your application. It will however make it more difficult.

The first step is to initialize a LicenseChecker object:
B4X:
Sub Activity_Create(FirstTime As Boolean)
   Dim lc As LicenseChecker
   Dim p As PhoneId
   lc.Initialize("lc", p.GetDeviceId, publicKey, "kljdflkf".GetBytes("UTF8"))
   lc.SetVariableAndValue("test_1", "some secret value")
   lc.CheckAccess
End Sub
The result of the licensing check is cached locally. The cache is encrypted with AES algorithm. In order to avoid users from tampering with the cache and copying the cache to different devices, the device id is used together with the package name as the password.

Note that the same user will be able to download your application to other devices running with the same user account.

PhoneId (from the Phone library) requires the READ_STATE permission. The protection will still work if you pass an arbitrary string. It will be weaker however.
The Salt parameter should be an array of bytes with some random values (the values should be the same on each run).

Edit: It is recommended to use the alternative id method as described here: http://www.b4x.com/forum/basic4andr...oid-device-unique-id-alternative-phoneid.html

The next step is to call lc.CheckAccess. This in turn calls the market application or the local cache and checks whether the user is allowed to access the program.
One of the following events will be raised when the result arrives: Allow, DontAllow or Error (ErrorCode As String).
It is up to you to handle the event subs as required.

LicenseChecker.SetVariableAndValue
A simple way to hack an application is to "jump over" the checking code. For example a hacker might remove the call to CheckAccess and instead call your Allow event sub.
In order to make it a bit more complicated you can call LicenseChecker.SetVariableAndValue.
For example:
B4X:
lc.SetVariableAndValue("test_1", "some secret value")
The above code will set the value of a process global string value in the main activity named test1 to "some secret value" if the check was successful. You should not use or test the value of test1 in the Allow event sub as it will be too obvious. Instead you should use it later in your program.
You can be creative and pass the name of the variable or the value by using BytesToString or some other way.
As this variable is accessed in a dynamic way it will fail when the code is obfuscated. Therefore you need to include an underscore in the variable name to prevent it from being obfuscated. For example: test_1.
Note that SetVariableAndValue method will fail when running in rapid debug mode as the variable is part of the "debugger engine".

A more complete example:
B4X:
Sub Process_Globals
   Dim publicKey As String
   publicKey = "MIIBIjANBgkqhAADSFEFEFkiG9w0BfW/cGhTbtIs6QIDAQAB..."
   Dim test_1 As String
End Sub
Sub Globals

End Sub
Sub Activity_Create(FirstTime As Boolean)
   Dim lc As LicenseChecker
   Dim p As PhoneId
   lc.Initialize("lc", p.GetDeviceId, publicKey, "kljdflkf".GetBytes("UTF8"))
   lc.SetVariableAndValue("test1", "some secret value")
   lc.CheckAccess
End Sub
Sub lc_Allow
   Log("Allow")
End Sub
Sub lc_DontAllow
   Log("DontAllow")
   ToastMessageShow("Closing application.", True)
   Activity.Finish
End Sub
Sub lc_Error (ErrorCode As String)
   Log("error: " & ErrorCode)
   ToastMessageShow("Closing application.", True)
   Activity.Finish
End Sub
Sub Activity_Pause(UserClosed As Boolean)
 
End Sub
Sub Activity_Resume

End Sub

The library is available here: http://www.b4x.com/forum/additional-libraries-official-updates/11430-licensing-library.html
 
Last edited:

slowtime

Active Member
Licensed User
Longtime User
Sorry.

My problem was in the device cache.

When I clear cache all run right.

Sorry again.

Ciao
 

cmweb

Active Member
Licensed User
Longtime User
Hello,

how can I test my application in Emulator (Android Virtual Device Manager), when my App alread has the license check included?

The emulator seems to don't allow to create a Google account on the emulator, so the app always receives "don't allow" and closes the app.

I would like to test my app in emulator without always have to disable the license check code...

Any hints?

Best regards,

Carsten
 

timo

Active Member
Licensed User
Longtime User
I don't know if I tested it right, but I noticed that setting it in 'FirstTime' and closing with activity.finish, at the second start you access the app without problems because it remained resident (no force-close) and went over the lc.check. (I didn't add a SetVariableandValue).Is that a right behaviour?
 

eps

Expert
Licensed User
Longtime User
Fantastico! :icon_clap:

Just looking to integrate this into my first Paid For App....
 

bluedude

Well-Known Member
Licensed User
Longtime User
Hi Erel,

I never published an Android app. (we only use internal apps.) and I was wondering if I can test the Licensing Library without uploading an apk to the market.

Does the test console only work if an app. is uploaded to the market?

Cheers,
 

bluedude

Well-Known Member
Licensed User
Longtime User
Non Market managed

Erel,

I'm sure I configured everything ok and also use an account on the Android market on my phone that is equal to my market publisher account.

I have NOT uploaded an APK because i want to test it without publishing an app.

However, it does not work. I have put Licensed in the Test console but the app. gives me back Non Market Managed.

Any suggestions.
 

bluedude

Well-Known Member
Licensed User
Longtime User
Done all that

Erel,

I am logged in as indicated. I use the Android Market a lot and with the correct user account.

So when I start the License Manager demo I have been using the Android Market with the correct account.

I never use a debug key, signed it with a real key.

Any other suggestions?

Cheers,
 

bluedude

Well-Known Member
Licensed User
Longtime User
Test console

Just to confirm, this means that the Test console and the License Manager does not work without uploading an APK?

Cheers,
 

Brad

Active Member
Licensed User
Longtime User
I just added this to my app and it works great!

Timo, there is no need to upload your app. First thing is to set the License Test Response to something other then "Respond normally". You have to click the 'save' button after changing the value. Clear your app cache and give it a try.
 

eps

Expert
Licensed User
Longtime User
This worked for me, without uploading the App to the Market. Of course the device I am using is the one with my gmail registered to it. Other registered accounts can be added.
 

Highwinder

Active Member
Licensed User
Longtime User
Library effectiveness question

Erel,

The more I look into it, the more I see that app piracy is a rampant epidemic, and I need to know if the licensing library stops the following practice:

The user purchases the app and installs it.
The user runs the app, presumably allowing the license cache file to properly set itself.
They then quickly back up the app with a 3rd party backup program.
They then cancel the purchase before the 15 minutes are up.
They can then restore the app from the backup - potentially including the license cache file.

Does the licensing library protect against this practice?

Thanks,

- Highwinder
 
Last edited:
Top