Advice on securing client server applications.

General topics about the Android-Platform itself.
Coding issues please to the subforum right below.

Advice on securing client server applications.

Postby Ressor » Sat Dec 12, 2009 12:05 am

I'd like some advice on how to secure my application server-side interface.

I want to make sure that only people who bought my application can use it, and the server-side web interface that it relies on.

My thoughts are similar to others who use the phone number and device ID, but it seems not as secure as I'd like and I'm not sure that I will be able to verify each phone number or device as a paying customer.

Does anyone know if that information is provided to the developer after a completed purchase in the Android Market?

I could force users to set up an account on my server and validate themselves I guess.

I'm also considering shared secret type architectures, but really I need some advice from the experienced developers here.

Thanks,
Michael D
Ressor
Developer
Developer
 
Posts: 28
Joined: Wed Oct 14, 2009 11:43 pm
Location: Boston MA USA

Top

Postby Ressor » Fri Dec 18, 2009 6:42 pm

Ahh... no help from anyone yet... Maybe I can narrow this down to:

- Does the Android Market give you a way to validate who has purchased your app?
- Do they tell you the phone number or device ID to use for server-side authentication?

Thanks,
Ressor
Ressor
Developer
Developer
 
Posts: 28
Joined: Wed Oct 14, 2009 11:43 pm
Location: Boston MA USA

Postby Ressor » Tue Dec 29, 2009 3:25 pm

Hi,

I am actually still working on this myself and plan to post my final design, but here is the outline of what I've done.

- Force the app to register with the server upon first execution if no key is found in SharedPreferences.
- Key is sent by SMS to users phone during first execution to validate that only this device get's a key.
- Pop up a registration license key entry dialog. (May also require entry of Market transaction ID)
- Key is a combination of phone number, Device ID and secret phrase (md5sum)
- Key is saved in SharedPreferences and validated on server end each time app is executed.

This way, the app can only be registered once for any given phone number.
The only thing I need to figure out is how to match the phone number with the actual purchase, but it may not matter at first since I can shut off any user from accessing my server at any time by flagging their phone number in my server-side code.

This approach can be used on any app, but requires server-side programming and Internet communication from the app.

The server-side code is where most of the magic happens and basically it will have to handle keeping all users in a DB and knowing if they have registered, what their key is and every time they execute the app, it will decipher their key and make sure it matches the phone number, device ID and my secret phrase.

I'll write up the final design when I finish it and test it soon.

Please let me know what you think.
Ressor
Developer
Developer
 
Posts: 28
Joined: Wed Oct 14, 2009 11:43 pm
Location: Boston MA USA

Top

Return to General

Who is online

Users browsing this forum: No registered users and 3 guests