Home/ Questions/Q 7756933
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T12:57:04+00:00

I’m working on an application that requires a server to do most of the

  • 0

I’m working on an application that requires a server to do most of the heavy lifting. I want to prevent pirated clients from sending requests to that server. Is there a way to send some identifier with the requests so that my server can ask the Android Market if someone with that id actually bought the app? How would I go about doing that?

Note that just protecting the app with LVL won’t work, because people could fairly easily write an application to interface with the server and still provide the same functionality as the paid app.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First: There is no 100% security for anything you run on a device that is not under your control (like Android devices in your case).

    You could make “abuse” harder by several measures:

    • issue a random session key (cryptographically secure) after a successfull login with a time-limit so a new login needs to happen after a certain time has passed by
    • issue a random interaction key (cryptographically secure) for every communication step which gets invalidated right after one usage
    • when a successfull login happens terminate any other session associated with the same credentials that might be active before that login
    • “throttle” usage, i.e. limit how many calls per minute/hour or similar are allowed (might be impossible depending on the specific application)

    IF you really really want to make it very hard you can issue a device-specific client-certificate (when the client buys your app) and use cert-based client authentication (defined in SSL standard) – you can invalidate the cert associated with the device if you see abuse without harm for the legitimate users of other devices…

    • 0