Added extra checks and option to save result to SharedPreferences #15
Conversation
…pps and third-party stores.
|
Everything seems fine to me. Good job. |
|
Thanks @franciscofranco |
|
Hopefully @javiersantos will merge this asap. |
|
@franciscofranco dependencies{
...
compile 'me.jahirfiquitiva:PiracyChecker:55dd8f3'
} |
|
Awesome. Was fighting myself not to clone the source code, but that makes it easy. Will test. |
|
Warning: Exception while processing task java.io.IOException: proguard.ParseException: Unknown option 'com.github.javiersantos.**' in line 21 of file '/Users/francisco/.android/build-cache/ae8be0d3bfa426908e10daea6f07d94c9a367342/output/proguard.txt' |
|
Removing com.android.vending.CHECK_LICENSE is giving me an "Allow" even if I don't have internet access. I'm on a debug build so it needs to check for license since it only caches the result for 60 seconds (which is perfect for testing). Adding back com.android.vending.CHECK_LICENSE but still offline it'll say "LibraryValidator: Error contacting licensing server." and returning "don't allow". I don't recall having test this with 0.0.3 of PiracyChecker, so I can't tell if it was caused by your changes. Will test now. |
|
@franciscofranco |
|
Confirmed with 0.0.3 and without com.android.vending.CHECK_LICENSE and without internet access it correctly returns "don't allow". |
|
Well, it should not allow it if returns "LicenseValidator: Error contacting licensing server." On debug builds cached responses last for 60 secs, after the 60 secs it needs to contact the server again to make sure the app is licensed. I think cache for production lasts longer so it won't an error even if the user doesn't have internet access. |
|
@franciscofranco dependencies{
...
compile 'me.jahirfiquitiva:PiracyChecker:9ab0ec8'
} |
|
On 9ab0ec8 if I remove com.android.vending.CHECK_LICENSE and I'm offline (without a response cached) now it doesn't even go through the allow() callback, it'll say "LibraryChecker: Binding to licensing service." and that's it, won't do anything else. As soon as I add com.android.vending.CHECK_LICENSE, while still offline and no cache what-so-ever it'll properly say "Error contacting the server" + "don't allow". |
| @@ -144,4 +146,11 @@ static boolean isDebug(Context context) { | |||
| return ((context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0); | |||
| } | |||
|
|
|||
| static boolean isConnectedToInternet(Context context) { | |||
There was a problem hiding this comment.
ConnectivityManager will check if the user has WiFi or data enabled. If LuckyPatcher or any other patcher uses an offline mode, this method will return true because the device is connected to the Internet.
This method doesn't fix the issue reported by @franciscofranco , since the license checker will return "Allow" when the user is connected to the Internet and using a simple bypass by LuckyPatcher (offline mode).
There was a problem hiding this comment.
Would you mind if I ask you for a suggestion?
|
I have made some tests, and definitely the only way for the checker to work properly is making sure it has the In my last commit I put it in the library's The bad part of this is LuckyPatcher will detect the apps as "patcheable", and from an user test, he can use lucky patcher to patch the app, then uninstall it, and the app would recognize the license as valid and lucky patcher as not installed. I guess there's still a long way for a license check to be completely secure or successful. |
|
Hmm... there's got to be a way to fake the permission instead of declaring it into the Manifest. I'll go research. |
|
@franciscofranco @javiersantos An user used the latest version from my fork. He says LuckyPatcher detects it, but does not allow to apply a patch, although it allows to create a modified apk. I guess what LuckyPatcher does is creating an app with the permission removed from the He tried creating the modified app and license check still works, although that could be because of checking if app has been installed from Play Store or not. He also uninstalled LuckyPatcher after these things, and said the app still said license was invalid. He even cleared data of the modified apk and license still was invalid. I am also saving the result to SharedPreferences, so that could be helping too. For me, these changes are working good enough, although I would like to know what you think. |
|
Good job with your PR, @jahirfiquitiva. As you say, I think that the permission must be included since it could break some checkers of the licensing service. For sure it will be detected by LuckyPatcher, but the main goal here is not to prevent LuckyPatcher from detecting the licensing library (which I don't think is possible) but to prevent LuckyPatcher from patching it. I have been testing my commits from yesterday (297f180, 82ae6a4, e7d4756). This changes should make harder to apply a patch to an app and after having some tests, LuckyPatcher generates a modified apk and passes the first test, but the license checker is still working in the resulting apk. |
|
I have nothing valuable to add, you guys said it all. @javiersantos maybe merge this and call it version 1.0? There doesn't seem to be possible to protect this any further and it might be good to get this battle tested in some production apps. |
With these commits, the library is able to check:
Also, allows the app to save the result of the license check in
SharedPreferencesdefined by user.And finally, removes the
com.android.vending.CHECK_LICENSEpermission from library'sAndroidManifest.xmlFrom my experience, it makes LuckyPatcher detect app as "patcheable".
It can still be added by users in their apps'
AndroidManifest.xmland they would be the ones who decide whether to use it or not. TheREADMEstill says they should, but has a note for they to know about this and decide.This should solve #13 and #14 .