Getting false positives on the Google Play license check

[rosenpin]

Hi,
I just found out about this library a few days ago and it looked very promising, I really appreciate your effort to make other developers lives easier.

I tried implementing this library in a beta version of my app which I later released to the Play Store for beta testers, and it seems like I got several false positives from the library.

I made it so I get Firebase reports for when PiracyCheckerCallback returns dontAllow.
I also had Firebase log the installer app package name when sending the report.
After less than 30 minutes of the app being available to beta testers on Google Play I got already 2
reports for the following devices:

Manufacturer: Samsung
Model: SM-J111M
Board: Sc9830i
Android API: 22
Android OS: 5.1.1
Brand: Samsung
RAM: 919.67MB
Orientation: Portrait

Installed from: com.android.vending
Reason: This user is not using a licensed application from Google Play.

Manufacturer: Htc
Model: Nexus 9
Board: Flounder
Android API: 21
Android OS: 5.0.2
Brand: Google
RAM: 1.79GB
Orientation: Portrait

Probably an emulator for automatic crash reports (pre launch reports)
Reason: This user is not using a licensed application from Google Play.

The second one is a Google emulator so it might be a different story, but I'm almost certain that the first report is genuine, and is from a valid user.

This is the code I used:

String[] lines = new String(arr).split(System.getProperty("line.separator")); //Getting the first line of the file that contains the Google Play Licensing and Signing certificate codes 
            new PiracyChecker(context)
                    .enableGooglePlayLicensing(lines[0])
                    .enableSigningCertificate(lines[1])
                    .enableDebugCheck()
                    //.enableUnauthorizedAppsCheck()
                    .callback(new PiracyCheckerCallback() {
                        @Override
                        public void allow() {

                        }

                        @Override
                        public void dontAllow(@NonNull PiracyCheckerError piracyCheckerError, @Nullable PirateApp pirateApp) {
                            if (prefs.enabled)
                                prefs.setBool(Prefs.KEYS.ENABLED.toString(), Constants.disabled);
                            FirebaseCrash.log(piracyCheckerError.toString());
                            FirebaseCrash.log(context.getPackageManager().getInstallerPackageName(context.getPackageName()));
                            nullObject.toString(); // make the app crash
                        }
                    })
                    .display(Display.ACTIVITY)
                    .start();

I saw in the README that you recommend not running the PiracyCheck in multiple instances

When using Google Play Licensing your should call .destroy() in the onDestroy() method of your Activity to avoid multiple instances of the service running. Have a look to the Wiki for a sample Activity with .destroy().

But in the current version of the app it might still happen, because I also check for license verification error from a service that may run simultaneously with the activity. Could that really be the source of the issue?

As I mentioned above, this seems to work for the most part, with the exception of this one user, which I doubt had the time to update and crack the app in less than 30 minutes, especially with the app being installed from Google Play, as the Firebase report says.

Looking forward to your response, I will try to analyse it further and any other information I find

Edit:
I updated the app again, now I should get the license key used in the verification process through firebase, I just got another report:

Manufacturer: Meizu
Model: PRO 5
Board: Pro5
Android API: 22
Android OS: 5.1
Brand: Meizu
RAM: 3.63GB
Orientation: Portrait
App used to install com.android.vending
Error: This user is not using a licensed application from Google Play.

I compared the license key I received from the report with my license key from the Play Store and they match

Edit2:
OK, maybe I figured it out, previously I wasn't implementing the onError method, after implementing it I got many reports about it being triggered, is it possible that by default when an error occurs with the license verification, the dontAllow method is being called?

Any who this is the error message that I get:

OnErrorNot market managed error.

Will update as I get more information

Edit3:
Never mind, seems like it didn't solve the issue, for some reason Google pre launch report Nexus 9 manages to reproduce this issue every time

Manufacturer: Htc
Model: Nexus 9
Board: Flounder
Android API: 21
Android OS: 5.0.2
Brand: Google
RAM: 1.79GB
Orientation: Portrait

Edit3:
Ended up commenting out the .enableGooglePlayLicensing(lines[0]) line, for now I will rely on the app certificate verification

[BigEnergys]

plus

[Vel-San]

Plus.

[zacharee]

This seems to happen when the device has just booted. I have the checker running in my Application class, which runs as soon as any of my components are activated, and it looks like PiracyChecker checks before Google Play Services has actually started.

[dipendrapkrl]

@rosenpin do not depend on app certificate verification. Apps like App Cloner can easily make clones.