Board index
FAQ
Register
LoginI'd like some advice on how to secure my application server-side interface.
I want to make sure that only people who bought my application can use it, and the server-side web interface that it relies on.
My thoughts are similar to others who use the phone number and device ID, but it seems not as secure as I'd like and I'm not sure that I will be able to verify each phone number or device as a paying customer.
Does anyone know if that information is provided to the developer after a completed purchase in the Android Market?
I could force users to set up an account on my server and validate themselves I guess.
I'm also considering shared secret type architectures, but really I need some advice from the experienced developers here.
Thanks,
Michael D
Advice on securing client server applications.
3 posts
• Page 1 of 1
Advice on securing client server applications.
by Ressor » Sat Dec 12, 2009 12:05 am
- Ressor
- Developer
- Posts: 28
- Joined: Wed Oct 14, 2009 11:43 pm
- Location: Boston MA USA
by Ressor » Fri Dec 18, 2009 6:42 pm
Ahh... no help from anyone yet... Maybe I can narrow this down to:
- Does the Android Market give you a way to validate who has purchased your app?
- Do they tell you the phone number or device ID to use for server-side authentication?
Thanks,
Ressor
- Does the Android Market give you a way to validate who has purchased your app?
- Do they tell you the phone number or device ID to use for server-side authentication?
Thanks,
Ressor
- Ressor
- Developer
- Posts: 28
- Joined: Wed Oct 14, 2009 11:43 pm
- Location: Boston MA USA
by Ressor » Tue Dec 29, 2009 3:25 pm
Hi,
I am actually still working on this myself and plan to post my final design, but here is the outline of what I've done.
- Force the app to register with the server upon first execution if no key is found in SharedPreferences.
- Key is sent by SMS to users phone during first execution to validate that only this device get's a key.
- Pop up a registration license key entry dialog. (May also require entry of Market transaction ID)
- Key is a combination of phone number, Device ID and secret phrase (md5sum)
- Key is saved in SharedPreferences and validated on server end each time app is executed.
This way, the app can only be registered once for any given phone number.
The only thing I need to figure out is how to match the phone number with the actual purchase, but it may not matter at first since I can shut off any user from accessing my server at any time by flagging their phone number in my server-side code.
This approach can be used on any app, but requires server-side programming and Internet communication from the app.
The server-side code is where most of the magic happens and basically it will have to handle keeping all users in a DB and knowing if they have registered, what their key is and every time they execute the app, it will decipher their key and make sure it matches the phone number, device ID and my secret phrase.
I'll write up the final design when I finish it and test it soon.
Please let me know what you think.
I am actually still working on this myself and plan to post my final design, but here is the outline of what I've done.
- Force the app to register with the server upon first execution if no key is found in SharedPreferences.
- Key is sent by SMS to users phone during first execution to validate that only this device get's a key.
- Pop up a registration license key entry dialog. (May also require entry of Market transaction ID)
- Key is a combination of phone number, Device ID and secret phrase (md5sum)
- Key is saved in SharedPreferences and validated on server end each time app is executed.
This way, the app can only be registered once for any given phone number.
The only thing I need to figure out is how to match the phone number with the actual purchase, but it may not matter at first since I can shut off any user from accessing my server at any time by flagging their phone number in my server-side code.
This approach can be used on any app, but requires server-side programming and Internet communication from the app.
The server-side code is where most of the magic happens and basically it will have to handle keeping all users in a DB and knowing if they have registered, what their key is and every time they execute the app, it will decipher their key and make sure it matches the phone number, device ID and my secret phrase.
I'll write up the final design when I finish it and test it soon.
Please let me know what you think.
- Ressor
- Developer
- Posts: 28
- Joined: Wed Oct 14, 2009 11:43 pm
- Location: Boston MA USA
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Dark-Grunge Style by Christian Bullock // Promote your forum at Forum Promotion // More styles at PixelRaider.
Dark-Grunge Style by Christian Bullock // Promote your forum at Forum Promotion // More styles at PixelRaider.