The default ServerManagedPolicy that Google provides in their License Verification Library relies on the server responses to determine the license revalidation interval. This results in requiring a revalidation every few days, in perpetuity. This is not only a nuisance to users, it can be a serious problem for users who go extended periods with no connectivity. (We just had an inquiry from a user who expects to be without Internet connectivity for several weeks, which is what motivates this question.)

In summary, I’m looking for an algorithm that will accomplish two things:

1. drastically reduce the connectivity requirements compared to ServerManagedPolicy;
2. provide the same level of anti-piracy protection.

In an answer to this question the suggested policy algorithm is to ignore the times provided in the response from Google’s server and instead to use a LICENSED expiration period of about a month, with license checks being attempted every few days (to extend the expiration period if a LICENSED response is received).

While this approach partially addresses the first goal, it still requires users to be connected once a month while using the app, so it would not work for (at least one of) our users.

The following algorithm accomplishes the first goal, but I don’t know about the second. Any comments pointing out weaknesses of this algorithm, or suggestions for another approach, would be welcome.

1. On first run, do a license check and insist on a LICENSED response before providing full functionality. Once received, set a relatively short expiration period (but longer than the refund period that Google Play provides, currently 15 minutes). Also register a grace period of a few days beyond that.
2. The app would start checking again after the license expiration period. If it failed to connect (airplane mode, etc.), it would still function until the expiration of the grace period.
3. After expiration of the grace period, insist on a second LICENSED response before allowing normal app functioning.
4. After receiving the second LICENSED response, permanently enable all features of the app and never bother checking again.
5. If an UNLICENSED response is received at any point, permanently disable full functionality. (The user can, of course, revert to step 1 by deleting all app data.)

Additional points:

• A suggestion was made to forgo the first license check and wait until the expiration of the return period before doing a license check. The purpose of insisting on the first LICENSED response is to prevent the exploit where, after a license check fails, the user simply stops the app process, clears the app data, and restarts the app. (The app provides value even if usable for only 15 minutes at a time.)
• The purpose of insisting on a second LICENSED response is to get around the buy-run-backup-return-restore exploit.
• I’m not asking whether call-back license checking is a good idea or not (that’s what Google offers in place of their deprecated copy protection mechanism). I’m also well aware that no anti-piracy protection is foolproof and Google’s entire licensing mechanism can be circumvented (in which case all questions about design of a policy algorithm are irrelevant). The main point of this question is the relative risks (to us) and benefits (to the user) of the above algorithm as compared to other policies (such as the ServerManagedPolicy).