Re: [android-developers] Licensing

Not sure if I read correctly, but it appears this can work for an app that was NOT purchased through the Android Market app. The requirements are that the app is published in the Android Market and that the Android Market app is available on the device.

Could this mean Google will soon open up payment for apps outside of the Market app?

On 27 July 2010 20:59, Raymond C. Rodgers <raymond@badlucksoft.com> wrote:

On 7/27/2010 2:53 PM, Trevor Johns wrote:

On Tue, Jul 27, 2010 at 11:42 AM, Raymond C. Rodgers <raymond@badlucksoft.com <mailto:raymond@badlucksoft.com>> wrote:

   I'm not sure that this is inherently insecure. Yes, it does use
   libraries and a public key that will be embedded in the
   application, but public keys are designed to be shared. All the
   client side is doing is verifying information encrypted with the
   private key which isn't accessible, and providing that information
   to the application for it to manage as the developer decides. I
   may not have my security "A" game going today, but that sounds
   reasonably secure to me. The private key isn't even made available
   to the developer as I understand it, so the developer doesn't
   really have the option of shooting themselves in the foot with it.


In many ways, it's more secure to have the code embedded in the application (which is why we designed the library this way).

If the license check was performed solely by the OS, an attacker could just use a modified firmware image to bypass the checks for all applications on the system.

<http://groups.google.com/group/android-developers?hl=en>

Agreed. After I wrote my part above, I even thought of another possibility... I haven't checked the API thoroughly, but it maybe possible to store the public key on your own server, protected as you see fit, then when you do your licensing checks, you download the public key through whatever secure mechanism you feel is sufficient, do the check, and then discard the public key.

Raymond

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en