Can In-App Purchase Prevent Software Piracy

Question

I realize if a developer releases a paid app in Google Android Market. Very soon, the paid app will be distributed free through other Android Market. This piracy issues especially true, when comes to China market. For instance, Where's My Water (Chinese)

I was wondering, can In-App purchase prevent such piracy issue?

Purchasing Additional Items Through In-App Purchase

1. User purchases additional items through In-App purchase.
2. A secret key, was written to user preference. The secret key is generated based on user Google account used, during In-App purchasing. The reason we do not use hardware ID is that, we want the same user able to enjoy the In-App purchase items, even he is using other device.

Verification Using Secret Key

1. So, verification will always be done, when user tends to use the additional items. Even when the user distributes the secret key to others, it won't work. As the secret key is only valid for that particular user.

I was wondering, is this one of the common practice being implemented, to fight against Android app piracy issue? As I do not see much discussions regarding this technique. Not sure is there any pit-fall I had missed out?

Answer 1

Something like that :)

This largely depends on the type of in-app purchase: if it is content (images, video, etc.) they download from your servers, you can do checks on the server and unless someone hacks your server, it will be nearly impossible to cheat.

For adding/enabling features that are already in the app, you need to save somewhere the list of items they bought, so you app knows what features to enable. If you simply save it to a file/shared/preferences/DB, someone can simply edit those (on a rooted device, of course) and add whatever items they want. Therefore you need to obfuscate your item cache, to make it harder to modify. One way of doing this is to encrypt it on disk and decrypt in your app. If you use the same key for all devices, it would be trivial to just copy the file/database to another device to enable the features without paying. That is why you need to derive the key from something specific to the particular device (MAC address, ANDROID_ID, etc.). If can use the Google account to derive the key, but you need to check with AccountManager that the user actually has this account registered on their device (this requires an additional permission).

As for using a hardware ID, items/subscriptions are tied to the user Google account, so you can use RESTORE_TRANSACTIONS on any device to get the purchased items. Using a hardware ID to obfuscate the item cache is not a problem, since it is only used to store things on disk, not to get purchase state and thus does not prevent the user from using the app on multiple devices.

Answer 2

In general in-app purchases are more protected against piracy. The fact that the purchase takes place inside the game makes it harder for the pirate to replace parts of the software with other hacked parts. In addition, in-app purchasing is less flexible and allows you to utilize redundant methods of protection.

The method you described could be ok depending on how well you hide your secret key. It's true that the key can't be used with others but it will be usable by the same account over and over again. Our recommendation would be to follow this process:

• Authenticate with your own server over TLS/SSL
• Obtain a secret key that will be valid for one transaction only
• Use the secret key for the transaction and forgot it imediatly

This will be much harder to hack.

Good luck and let me know if you need anymore help.