I cache user authentication when the ping server of the Android Market server returns pong GRANT_ACCESS.
Does anyone see any vulnerabilities in this strategy? I believe that it is very strong, because I am confusing the key, and the only way to disconnect is to know the salt. Now, someone could open the apk and look for salt, but this is actually not a hacking level, I think it is too important to worry.
As you can see, device information is added to the obfuscation method.
// Try to use more data here. ANDROID_ID is a single point of attack. String deviceId = Secure.getString(getContentResolver(), Secure.ANDROID_ID); obfuscator = new AESObfuscator(SALT, getPackageName(), deviceId); mChecker = new LicenseChecker(this, new ServerManagedPolicy(this, obfuscator), BASE64_PUBLIC_KEY );
Next, the saved data is created:
public void allow() { SharedPreferences settings = getSharedPreferences(PREFERENCES_EULA, 0); SharedPreferences.Editor editor = settings.edit(); String uid = UUID.randomUUID().toString(); if(!settings.contains(ACCESS_KEY)) { editor.putString(ACCESS_KEY,uid); editor.commit(); } if(!settings.contains(OBFU_ACCESS_KEY)) { String obfu = obfuscator.obfuscate(uid); editor.putString(OBFU_ACCESS_KEY,obfu); editor.commit(); }
Then I used another method to check the status of cached content:
boolean isCachedLicense() { SharedPreferences settings = getSharedPreferences(PREFERENCES_EULA, 0); if(settings.contains(ACCESS_KEY) && settings.contains(OBFU_ACCESS_KEY)) { String accessKey = settings.getString(ACCESS_KEY, ""); String obAccessKey = settings.getString(OBFU_ACCESS_KEY, ""); try { if(accessKey.equals(obfuscator.unobfuscate(obAccessKey))) { return true; } else { return false; } } catch (ValidationException e) { e.printStackTrace(); return false; } } else { return false; } }
Finally, I checked if isCachedLicens e is in the following LicenseCheckerCallback places: @Override dontAllow and @override applicationError . If isCachedLicense true, I isCachedLicense user navigate.
In addition, the full source code is in here .