[Q] How to make an app crack-proof (as much as possible) - Android Q&A, Help & Troubleshooting

Hey guys, lately i've been developing an Android online game that i pretend to sell on Google Play for about 1€, and as i am about to launch it to the market within a week or two, the question i have is: what should i do to make it as hard as possible to crack and be distributed for free? I am not rich and i need the money i hope to get from the downloads to pay for the server... so i wouldn't like to have loads of people loading my server and not paying
Any ideas? I thought about making regular updates to the app and making the server to only accept the latest app version and denying access to old app versions, but i'm unsure about how efficient that is.

If the app requires additional data, you could have it verified online each time a user attempts to connect.

http://android-developers.blogspot.pt/2010/09/securing-android-lvl-applications.html
found this, the last solution "You can offload license validation to a trusted server." is exactly what i'm looking for, having the server checking license and only accepting sockets from legit clients, not really sure how to do it yet, but i'll try to implement that.

Related

[Q] New device, new binary?

Ok, I am looking at an online Android/iPhone app builder. They either offer the option to build one for free with unlimited downloads or you can pay yearly with different tiers for different download limits. The difference being that the free one has ads.
Anyways, when asked about just creating the app with their site, then hosting it on your own server and having everyone download it from there instead of paying the yearly fees, the site owner made this statement.
" my personal opinion in the long run you will pay more in this case because every time when apple releaes new iOS (like 6 now) or android has new phone (like samsung galaxy S 3 now) you will have to purchase new binary code from us that supports the latest updates/fixes."
Is this true? I don't see how each new device that comes out will require an update in your app.
Also, as stated, if you pay the yearly fee for the lowest amount of downloads, I assume they can only track downloads from Google Play or the Apple app store. I don't see any way they can track downloads from my own server hosting the .apk file. Anyone have any insight on this to correct me if I'm wrong?
For the record, I'm just looking to develop an app to play my Shoutcast Streaming audio station. I make no profit on the station, so have no capital to spend over $1K a year to have an Android and iPhone app. I mainly want to give it to my friends, and make it available to anyone who visits my Website. I really like the design that I did with this site, and am willing to pay something for it, just not worth $1K./year....
Anybody?
Have you tried installing the official Android Software Development Kit on your computer, and making the app yourself? You don't need to use an online service, and you choose exactly what gets compiled into the apk (ads, Google analytics, etc.).
post-mortem said:
Have you tried installing the official Android Software Development Kit on your computer, and making the app yourself? You don't need to use an online service, and you choose exactly what gets compiled into the apk (ads, Google analytics, etc.).
Click to expand...
Click to collapse
Thank you for the reply.
I actually do have the SDK installed, and am looking into what it takes to make my own app. But, don't I have to know xml and Java to create apps using the SDK?
You do need to know those two languages.
Sent from my Desire HD using xda premium
The Lepricon said:
But, don't I have to know xml and Java to create apps using the SDK?
Click to expand...
Click to collapse
That online service allows you to write apps without knowing xml or Java?
post-mortem said:
That online service allows you to write apps without knowing xml or Java?
Click to expand...
Click to collapse
Yes, it's kind of like Appinventor, all visual, just assemble the parts and stuff.
It's nice, just kinda pricey. I once posted the job on freelancer.com and got offers for about as much as this company is asking, and with freelancer I would have owned the app afterwards.
But, again, it's kinda hard to foot the bill when it's a non profit app.
Ok, I'm off to learn XML and Java.......
Oh, almost forgot.... the original questions...
" my personal opinion in the long run you will pay more in this case because every time when apple releaes new iOS (like 6 now) or android has new phone (like samsung galaxy S 3 now) you will have to purchase new binary code from us that supports the latest updates/fixes."
Is this true? I don't see how each new device that comes out will require an update in your app.
Also, as stated, if you pay the yearly fee for the lowest amount of downloads, I assume they can only track downloads from Google Play or the Apple app store. I don't see any way they can track downloads from my own server hosting the .apk file. Anyone have any insight on this to correct me if I'm wrong?
any ideas anyone?
I think he means every time Google releases an update to Android (updated OS, not new device). So, for example, you build your app to run on Jelly Bean. But when Key Lime Pie comes out, your app may not work as expected on those devices running KLP. Then, you'd have to pay them to recompile your app with updated binaries, or risk losing market share.
If your app is really simple and would run fine on Android 2.2 and up, then that "purchase new binary" thing is not applicable.
But, hell, if you're willing to learn XML & Java... go for it!

Do you use Licensing in your apps?

Was just wondering what peoples thoughts were on using the Android Licensing copy protection in their apps? Do you use it and do you spend a lot of time on it or have any creative ways to help enforce it?
As we all know any kind of drm will always be cracked but I just wanted to know if people found it worthwhile to have..
I'm using In-app-billing, because I found that even licensed apps can be copied.
And yes, all apps can be cracked eventually, but most of the publishers of cracked apps remove them if you ask to. So that's what I'm gonna do!
Sent from my Nexus 4 running Android 4.2 JB
I don't like license checks that force you to be online, but I do like to have 'something' in place...
Recently I started working with some OEMs in India who wanted to pre-load my apps on their devices. Very exciting obviously, but I didn't know if I could trust them as I'd never heard of them.
So what I did was get the app to load a web page on one of my servers off the screen (9000%x...) so that it couldn't be seen. The page it linked to was empty, but if I wanted to I could modify the code to include a redirect that would send it to another page. Then in my 'onPageOverride' event I just said if URL = 'stopapp.htm' then do whatever it was I wanted to do.
What I actually have it do in that event is to fill the entire screen with that web page. The user then can't interact with the app underneath, but they get a message that I can create at the time saying 'This app has been illegally distributed' or whatever else I want to say. I can even forward them on to the download page if I want this way.
This works well too because if the user isn't online, the page just doesn't load and nothing happens. But if I want to stop offline use as well I can save a file in File.DirInternal and have the app check for that. 'SwitchOff.txt'. They get caught once, then they can't use the app.
Obviously this doesn't work quite like a license check, but what you *could* do with it is to have the app pop up with a message to people using an old version that's not updated. That's probably downloaded off of some file sharing site, so you could then just keep pestering them to 'update' and send them to the Play Store to do so. You can also check how many of the users on that version of your app are legitimate by looking at your Play Developer Console.
One thing to note is that the redirect URLs you use will need to be different in every version of your app that you release.
Hope this helps someone! I wish I'd done it sooner, one of my apps is all over the web grrrr...
pretty much the same as what I'm doing atm except I just ping a server in the background and display a popup if the result meets certain conditions.. I don't disable the app either as I can't be 100% certain it's pirated, instead I display a "scary" popup saying if they're using a pirated copy this is illegal etc.. your average user won't know how the popup was generated so it should be enough to make them think "someone" is onto them and go the proper route.. With the added bonus a genuine user can just press ok and carry on using the app
Sent from my Nexus 4 using Tapatalk 4
Currently, none of my apps use licensing.
For one of my paid apps, about 5% of the downloads are from non-Google Play sources, meaning, I'm not seeing any revenue from those 5%.
There is an Android API, that allows developers to see which platform their app was downloaded from. So, I've been thinking about adding that hidden feature to my apps and maybe do something fun with it. But, haven't got around to it yet. My thinking has been that if somebody downloaded a pirated copy of my app, then they probably weren't going to pay for it in the first place. And, hopefully, they will tell their friends about it and maybe one of them will actually purchase it through Google Play.
I already have all my licensing code in place and commented out. Since my app is pretty new I want to see how it does before adding licensing. Since the app is free and income is from IAP its not too bad. I'd only turn on licensing in the next release if I see a pressing need for it.
Currently, none of my apps use licensing.

[Q] Private play store download

Hi All,
I'm looking at getting more into android development and have a question.
If I develop an app for a client and wish to use a subscription (monthly / yearly) and would like to be able to use the convenience of the Play Store to do so, is there a way to restrict or distribute an application to one client, without the general public seeing it?
Would it be better to have some kind of built in in-app license system to deal with this kind of thing? (obviously there are many things involved in this type of system to avoid problems with the end user).
I have heard you can do private Beta's, but I have no idea if this can be paid and go on indefinitely...?
I have never released an app on on the play store and don't even have an account yet, but wanted to try and understand how best to go about this kind of thing.
Many thanks in advance
Logicalstep

Sicher, new mobile encrypted chat app with safe file transfer

Hi all,
I'd like to share great news. Sicher, our free secure messenger finally comes to Windows Phone.
Sicher features true end-to-end encryption of both text messages and file attachments. With anonymous push notifications and the ability to set a timer for when messages will self-destruct, Sicher also includes password protection for the app itself.
Please try Sicher and share your feedback in this post.
FairyMary
Sicher Team
App is free, store link is here: EDIT: Removed because this thing looks like a scam and its description is a lie
I haven't been able to find a lot of info about how the app works (I'm talking about at a very technical level). My general advice regarding crypto code is to open it up for review, either publicly or by a professional security assessment firm (disclaimer: I work at one of those). If the code is already open for review somewhere, that would be awesome; if not, I recommend getting in touch with some external security experts (same disclaimer, but I can provide contact info if you want). The Internet is full of things that the developer claimed (and often even sincerely believed) were secure.
Aaaand just for fun, I decided to take a look at the app and see if there was anything obviously wrong. Let's start with the presence of no fewer than *three* advertisement networks, shall we? Begun Advertising is Russian and Google-owned, Google AdMob is self-explanatory, as is Microsoft Advertising Mobile. Your store description claims you
don’t use any advertising engines
Click to expand...
Click to collapse
. Did you really think nobody would check this?
WTF are you trying to pull here?!? I can't think of any way to faster burn trust in a "secure" app than to make a claim that is trivially disprovable in a way that benefits nobody except you.
I'll come right out and say it: Sicher looks like a scam!
Oh look, a Facebook library as well. Totally expected to see that, given that you
don’t integrate social network SDKs
Click to expand...
Click to collapse
Oh, and before anybody asks about responsible disclosure, that's for when there's an unintentional bug in somebody's code. This just looks like pure exploitation of your users! (I say "looks like" because I haven't actually decompiled the code to see if those libraries are being used, but it's hard to imagine why you'd have them otherwise...). The only responsible way to disclose malware is to do it publicly, and this looks malicious.
EDIT: I'll give you 24 hours to give me a good argument why I shouldn't report my findings to the stores themselves.
Time's up. You actually got over 48 hours because I was busy yesterday. Hope not too many people got scammed and tracked by your "secure" and "private" app...
Hey @GoodDayToDie, unfortunately I don't know where else to ask this, since you seem to be really interested (and skilled) in this topic, what messengers do you consider secure? WhatsApp is obvious, the only ones on Windows Phone I know of that come to my mind are Telegram and (soon) Threema.
What do you think about the two? I have basically no knowledge, but what seems odd to me about Threema is their faqs answer to "what about MITM?" they just say they use certs, hardcoded in the app. Aren't they with their servers in control then? How I understand this, the Threema servers could perfectly perform a MITM attack.
And Telegram has a completely confusing protocol.. So please share your thoughts!
I have no personal knowledge of one, sadly. Take anything I say here with a huge grain of salt (including the fact that Sicher looks like a scam; I haven't actually verified that it *uses* all those ad networks + Facebook that it integrates, just that it has them) as I'm not spending the time & effort for a full security review of these apps at this time.
Threema actually looks quite good.
Pros:
They don't try to implement the crypto themselves (they use NaCl, which is both written by people who know what they're doing, and well-reviewed).
The design of their end-to-end solution makes sense (it connects through the server since phone networks won't allow incoming/direct connections, but the messages are encrypted to only the recipient and doesn't require that the recipient be online to receive the message).
They are relatively open about how things work (although those *could* be lies; I haven't pulled the app apart).
It is possible for the user to verify the key of another user.
Cons:
They don't have Perfect Forward Secrecy on messages. PFS would require that the intended recipient be online at the start of any given conversation (to negotiate the ephemeral keys) so this isn't terribly surprising, but it is disappointing. An attacker (including a government agency) who gets access to your private key could decrypt historical traffic to you if they'd recorded it.
The app is proprietary; there's nothing stopping them from pushing a malicious update.
The server supplies the public keys of users; until such time as the user validates the other party's key (which is difficult to do except in person) the server could have sent a public key that the server has the private key for (instead of the user's own public key) and then MitM the user's traffic. This would break down when verified though, unless the app lied about the result of the verification process (you don't actually see the key itself).
To address your concern about MitM, the app says they use certificate pinning (a standard and very smart security measure, assuming they did it right) for app-to-server communication, so nobody (including third-party security engineers) can MitM the app traffic. They also claim to use PFS. However, if the server itself is untrusted (i.e. some government thugs show up to demand access, although bear in mind that apparently the servers are all in Switzerland) then the server could give you the wrong public key for a user you try and add, allowing the server to MitM you. Also, the company could push an update that is malicious.
The only protection against the server-sends-wrong-key threat is to either require that the user manually import all keys (think PGP minus keyservers and assuming trustworthy key exchanges) or exactly verify the key (i.e. personally ensure that it matches the other user's key by actually checking the bytes or at least the hash). The only protection against the malicious update is to make the source code available and have a method by which users can either compile it themselves (though see "Reflections on Trusting Trust") and/or have a way to verify the application binaries.
I'll look at Telegram later. For the moment, though, I would loosely recommend Threema once it's available. There's also Skype, of course, but while it was decompiled once long ago (and found to use secure encryption, although some non-crypto vulns were found) that was many versions ago (and, in particular, was before Microsoft bought them).

NEW - Learn and monetize your uninstalls

Hi, we are launching a new platform to allow app and game developers to get real time user feedback and monetize with every game uninstall. So, hold your breath…OR…
If you prefer to get an earlier test drive, we are opening a limited BETA for developers. Drop us a line and tell us how many daily uninstalls you have and let us know if you are interested to take part in the BETA or if you have any other question. Our email is: [email protected]
Happy New Year!
Ben
ben910 said:
Hi, we are launching a new platform to allow app and game developers to get real time user feedback and monetize with every game uninstall. So, hold your breath…OR…
If you prefer to get an earlier test drive, we are opening a limited BETA for developers. Drop us a line and tell us how many daily uninstalls you have and let us know if you are interested to take part in the BETA or if you have any other question. Our email is: [email protected]
Happy New Year!
Ben
Click to expand...
Click to collapse
How exactly are you monetizing uninstalls? Wont that be very annoying for the user? First they hate my app and don't want it, and then they need to watch some type of ad too? Doesn't sound like a good way to get good reviews...
Exactly my thoughts
Uninstall Monetization
$$$$$$$$$
Actually find a new way wanted your opinion about.
I have my flag app with over 1M install called Signal Boosters (Fred Baker)
I was trying to monetize creating my own offerwall and taking offers from the networks, long story, that didn't really hit the jackpot for me.
I had a huge problem of uninstalls (70%) since the walls didn't really work so I got really interested in the uninstall event and how to capture it.
Over a year I was able to capture the uninstall event using and launch a browser at the moment of uninstallation without leaving any traces or processes running on the devices afterwards (no trojans or anything that gets you banned)
(I saw some very popular and known apps use this implementation to survey the users that uninstalled and that was my inspiration)
I wasn't sure how to use it without pissing off someone and if it's actually allowed so I integrated it in my app and never talked to anyone about it.
A month ago or so I came across a company called APPJOLT doing exactly that.
I registered and entered their dashboard and saw they developed a whole system around this technique with the purpose to offer your users an incentive to come back to your app or cross-promote to other apps.
They have an option for free cross-promotion campaign so it hit me right away I can use their system with a CPI offer I took for my offerwall from one of the networks, so at the moment of uninstall it will show the offer and I will get paid for it.
I couldn't believe it but it worked, I see almost 1K uninstalls a day and generate around 70 conversions which generates $30-50 a day.
Not sure if I hit gold or not, just wanted to ask the members of this forum how can I improve this flow? or am I missing anything?
$$$$$$$$$
Please be aware that it might be against google policy. There is no notification about that your app has been uninstalled (or the uninstallation started), so they use background service that checkes if the user is currently trying to uninstall your app. Also, the earnings reported here are very high (eCPM $30 - $50), while ad networks pay usually between $1 - $3 for interstitial ads, I don't think you can get such high eCPM for uninstallations, I would expect something at least 10x lower.
Cool idea but it's hard to make it practical and implement it. So, how exactly are you monetizing from uninstalls I wonder..
I can guaranty you that you will get A LOT of 1 star. I will for sure install the game again just to give it 1 star.

Categories

Resources