Android source change signature

Question

Hi I'm working on a custom ROM for android and I will be putting a few of my paid market applications in the ROM for free. So I'm trying to come up with a secure way of detecting that the ROM is mine so that people can't pull my apps out and use them on other ROMs without purchasing it from the market.

A build.prop check I know is a popular way of doing this however that is not very secure obviously since you could decompile the app and get what string it was checking for and just add it to your build.prop on any ROM.

So I came up with the idea of a signature check on a random application in the ROM. That way they would need to know what random app it was checking for and the signature would have to be mine. Is it possible to change the test key that is used in the source to something unique? Or does anyone have any better ideas on this problem? I think a sig check on an app that would need to be in the ROM such as framework-res.apk would be sufficient and hard to detect that's what I was looking for when decompiling.

Thank you for any help

Answer 1

I think there are 3 ways to keep your paid application safe:

1. Commonly Mobile phone companies use platform signature(can found in the source) to sign the pre-installed application so that user can't uninstall the system applications in common ways, unless they root the device.

2. You can put some value in the system properties, in the start of your application, you can get the value from the system db and encrypt the value first(like MD5 which can not be decrypted easily), then compare with your MD5 hash written in your application.

3. Android provide a tool named ProGuard which can obfuscates your code.

Hope this will help you!