Hi all,
Sorry if this is a duplicate but I already searched for an answer and couldn't find one. I am working on an Android app that I wish to distribute as trialware and I am seeking info on best practices.
First of all, what is the best way to make sure that users cannot get the free trial again by reinstalling? This is critical, of course.
Next, how do I manage the expectations of my users who think they are downloading a totally free app? Is there a better way than just shouting it in the app description?
Any other advice, links or suggestions on this topic are much appreciated!
Thanks in advance,
Barry
Hi!
The only way to prevent reseting the trial period with reinstalling is to create a server and validate the device only by some of its hardware IDs.
Alternatively You can use an online service like https://trialvalidator.com.
Robert
Just keep in mind that server validation isnt bullet proof.
Users can use a simple firewall like Droidwall to block incoming/outgoing communications or both for individual or all apps.
There's LBE or Pdroid which can prevent apps from obtaining uniquely identifiable information and also change it so that each time your app requests the ID it gets a different random ID.
Then there are "code patchers" like LuckyPatcher and others which can patch the server validation within the app and bypass it.
You might get lucky and be releasing an app whose target market isn't a particularly tech savvy audience, but personally I run a very tight ship on my phone, and will not install any apps without locking them down completely.
This includes free and purchased apps.
Even my system apps are screened and only allowed to access the bare minimum on my phone to retain their functionality.
Have you looked into having crippled/free and full/paid versions of your app? Or a crippled app that has an in app purchase option to upgrade to full funtionality?
Another option would be an always on internet requirement, but unless its a really great MMO game, users are not going to be too happy about that especially if, for example your app is a music player or shopping list or single player game.
Im not trying to disseminate methods to bypass validation, or dishearten your app protection efforts. This is just an FYI.
Hey there,
I saw a couple of posts on the Internet regarding this new Tasker plugin. I was wondering how it really works, but couldn't find any detailed explanation on how exactly this works.
I'm a bit sceptical installing a Tasker plugin which can be controlled by any browser. Sure you have to know the shortened URL and you can define a password, but I don't see myself handing over control of my phone to a Tasker login lying around in the cloud somewhere.
Any insights?
https://play.google.com/store/apps/details?id=com.joaomgcd.autoremote.lite
This is the lite version if anyone is interested.
How to from pocketables
http://www.pocketables.com/tag/autoremote
Sent from my GT-I9300 using Tapatalk 2
AutoRemote developer here
Hi.
I'm AutoRemote's developer.
What exactly are your concerns over AutoRemote's security?
The way it works is, like you said, you control your phone from your own personal URL. You give that that URL to other people or keep it to yourself. The probability of someone finding that URL by chance is extremely low, and even if they do, they would have to guess which commands you configured on your phone.
Feel free to ask any questions and I'll try to answer them.
Hi,
thanks for taking the time to answer my questions. And I have to admit, I was a bit vague in my first post.
How does the communication between my desktop browser and my phone work? Let's say I defined a message and send it from my browser at work to my phone, which is on the mobile network. How does this work? Will the message be send from the PC to the phone? I don't know how that would work, as the ip I got from my ISP is behind a firewall and there is no way to directly reach my phone. This leaves two possibilities:
1. the phone has a constant connection to the server, like an ssh tunnel (http://autoremotejoaomgcd.appspot.com/?key), or
2. the phone itself checks for new messages on the server in regular intervals (again, http://autoremotejoaomgcd.appspot.com/?key)
1. battery will drain a lot, judging from my experience with ssh or VPN. Phone won't go into deep sleep.
2. Messages will be stored on the server.
I guess 2 is more likely, but then again, I could be talking out of my a**
My main problem with it though: Everything done via http://autoremotejoaomgcd.appspot.com/ is a black box for me. You could save all messages, including passwords and messages and this is a big problem for me. Don't get me wrong, but why should I trust you with this data when you could do all kinds of nasty things with the devices. Let's assume I made a message to remotely wipe my phone, you could do same, couldn't you?
I'm not saying you do these things, but I don't know you
I guess my guestion is, any way to host the middleman goo.gl/12345 and http://autoremotejoaomgcd.appspot.com/ myself?
If I'm wrong about these things, please feel free to correct me and thanks again for taking the time
Greetings
Thanks for the friendly message.
About the first part, the way it works is, the autoremotejoaomgcd.appspot.com page sends a message to Google which in turn sends a push notification to your phone.
That doesn't drain any more battery than it would otherwise, the connection to Google's servers to receive push notifications is always open anyway.
This is the same way you receive new email alerts or instant messages on other apps.
About the second part, yes, it's true. If I wanted, I could keep all your messages and resend them. I certainly DON'T do that, but why would you trust me?
Well, what I always say is, use AutoRemote for fun and non-dangerous stuff if you don't feel like trusting me. If you feel I'm not a bad guy (I already have lots of positive reviews on Google Play that show that I haven't done anything wrong), that by all means create a remote-wipe profile in Tasker.
Hope this helps!
Hey man,
Thanks for the explanation and sorry for the delay, but the last couple of days were pretty busy. Anyway, I still have a follow up question
I'm curious about the Google push notification feature you mentioned and I'd like to know how that works. I hope there is some sort of mechanism to prevent people from sending notifications to my device without my consent. If you could point me in the right direction in terms of documentation I would be grateful (well, I already am for your response )
I think I will give it a try and use incoming email for wiping device. Being able to disable my xmpp account on the tablet when phone leaves home would be a great feature. So, thanks again for your effort and your answer.
Have a nice day.
Hillbicks
Sent from my ASUS Transformer Pad TF700T using Tapatalk 2
Hi,
I know this is an old thread but wanted to jump in since the developer seems to be on this thread.
From a security perspective, a couple of suggestions:
Make both the Google Short URL and the URL that the Google Short URL directs to HTTPS. This would keep people on the local network from sniffing both your URL query string and password. Certificates appear to already be in place, so it's as simple as adding a character, assuming AutoRemote would allow it.
Use the password as a hash to encrypt the data being passed over the Google Servers. Process would look something like the below, and would ensure total security of the data being transmitted.
Web form uses client-side JS to encrpyt any data based on password
Encrypted data is BASE64 encoded to plain text
This string is sent through the notification engine of Google
When received, the phone uncodes the BASE64, then decrpyts using the password
Thanks,
Ben
Fmstrat said:
Hi,
I know this is an old thread but wanted to jump in since the developer seems to be on this thread.
From a security perspective, a couple of suggestions:
Make both the Google Short URL and the URL that the Google Short URL directs to HTTPS. This would keep people on the local network from sniffing both your URL query string and password. Certificates appear to already be in place, so it's as simple as adding a character, assuming AutoRemote would allow it.
Use the password as a hash to encrypt the data being passed over the Google Servers. Process would look something like the below, and would ensure total security of the data being transmitted.
Web form uses client-side JS to encrpyt any data based on password
Encrypted data is BASE64 encoded to plain text
This string is sent through the notification engine of Google
When received, the phone uncodes the BASE64, then decrpyts using the password
Thanks,
Ben
Click to expand...
Click to collapse
I'm with Ben here. I just installed Autoremote for testing and tried adding my linux box as a registered device. That implies entering a valid username and password for the linux box, and I'm guessing that both username and password are sent on the clear when sending a message from Autoremote to the linux box. This is a major security risk, and perhaps Ben's solution could be easily implemented...
I think Autoremote is a great idea with a great execution so far, just lacking the security component for our peace of mind!
Ivan.
There's lots of stuff you can do with autoremote that requires no security. I used it, like the pocketables guy, to spread alarms between two android devices. Lowers the risk of one device's alarm failing to go off, and I'm hard to wake up, so the more alarms the better. All I passed through autoremote was the time and the command the client needed to know what to do with the time. Security for such a transmission just isn't necessary.
Not that I am opposed to you guys getting your security, but I'd imagine it'd be a pricier functionality, and what exists now is for applications where security would be unnecessary.
fortunz said:
There's lots of stuff you can do with autoremote that requires no security. I used it, like the pocketables guy, to spread alarms between two android devices. Lowers the risk of one device's alarm failing to go off, and I'm hard to wake up, so the more alarms the better. All I passed through autoremote was the time and the command the client needed to know what to do with the time. Security for such a transmission just isn't necessary.
Not that I am opposed to you guys getting your security, but I'd imagine it'd be a pricier functionality, and what exists now is for applications where security would be unnecessary.
Click to expand...
Click to collapse
Not sure if anyone is still monitoring this, but I still think it would be really awesome to be able to do this without the need to loop through someone else's server.
Does anyone know of something that is out there that would allow one to do that?
--Ironhead65
ironhead65 said:
Not sure if anyone is still monitoring this, but I still think it would be really awesome to be able to do this without the need to loop through someone else's server.
Does anyone know of something that is out there that would allow one to do that?
--Ironhead65
Click to expand...
Click to collapse
Hi, as long as your sending device and the reciever (that may be another phone or a PC) are in the same network, there is a possibility to send the messages directly via WiFi. Also, messages can be sent by using Bluetooth.
So, as long, as your connected to the same network (what you usually are as long as you´re at home), or your devices are in the same room there is no need for external servers
Greetings!
@joaomgcd
Any news on that matter?
C0qRouge said:
@joaomgcd
Any news on that matter?
Click to expand...
Click to collapse
What part exactly do you mean?
thanks for taking the time! there are many interesting ideas in this thread.
* HTTPS <-- seems to be already in place
* Encryption of communication
* no private server, only direct connection or google as a relay
and to add: it would be nice to have a bit of documentation "behind the scene" to understand whats going on how the devices are communicating with each other.
C0qRouge said:
thanks for taking the time! there are many interesting ideas in this thread.
* HTTPS <-- seems to be already in place
* Encryption of communication
* no private server, only direct connection or google as a relay
and to add: it would be nice to have a bit of documentation "behind the scene" to understand whats going on how the devices are communicating with each other.
Click to expand...
Click to collapse
+1 to direct communication, as in LAN communication ONLY
Two devices both running tasker/autoremote, able to communicate with one another on the same network, without being routed outside the network.....ever
Whether thats feasible, ....i dont know
I also like the encryption bit
Basically for my final project were working with an external company that want stuff done for free or very close, this includes an android app.
The app im going to try to make will be private for the company to give out locations using google maps and gps/geolocation.
The app will be distributed through the site we are developing to certain users and not featured on the marketplace due to privacy issues.
Problem is I've never developed for android or any mobile platforms and have an extremely basic knowledge of Java but i mainly develop for web and windows using c# so naturally I have a few questions for people with experience in android development.
1. Is it possible to have the app powered by google maps?
2. Any suggestions of how one user will be able to upload gps coordinates to this app?
3. Rough idea of how long it would take e.g. few hours, few days, few months?
4. Overall is it possible, any problems I might run into?
5 Any Advice, tips,or better suggestions?
Thanks a lot for reading this far, any answers or help would be greatly appreciated.
OK people
I’m pretty good with IT and the written word but have no coding experience whatsoever. I want to develop a phone App (both iPhone and Android).
The app will include Google mapping technology, Facebook check in capability, account sign up and message system to fellow subscribers and push notifications triggered by geographical location and in app advertising.
I know there are different web based services and software for App development. But I am totally overwhelmed over where to start and I’d rather not learn to code from scratch.
If anyone could point me in the direction of any required reading/research, web tutorials or lectures I would be most grateful. Or if there is software that would allow me to develop the app easily. I don’t really like to idea of signing up with an online service in case I want to move the app to a business model in the future.
Alternatively any affordable services that allow me to keep full control of the app even if I unsubscribe could work.
Thanks in advance
Rumski
This will be useful for you..
http://forum.xda-developers.com/showthread.php?t=1914819
Hi everyone!
I apologise in advance if this is not the right section, but it seemed to me the best and you'll se why in a second.
I'm writing here because I need the help of other developers and / or knowledgeable people.
I'm at the last year of university and in order to graduate I have to complete a stage in a real world company.
This morning I went to talk to one of them to discuss their project.
Basically the situation is this:
They have their company wiki that keeps track of the multiple products they sell and stuff. The wiki uses a 2 way ssl, so the client has to have a ssl certificate created by the company in order to access the website. That is to prevent unauthorized access to the website, which is for the company workers only.
The project consist in creating a web app to allow access to the wiki via mobile.
So this app should access their website, validate the server ssl, send it's cerificate to the server and then navigate aroud the website.
Now the thing that scares me it's the 2 way ssl. I've never dealt with something like this so I have absolutely no idea about how hard it could be.
They all use iOS, but they said they could be switching to Android very soon so they'd like the app to be multiplatfrom.
I know there are some frameworks like Phone Gap that allow me to write the code only one and then deploy it on the os of my choice, but I don't know if there would be problem with the ssl stuff.
Maybe iOS handles authentication in a different way than Android.
But even if I could write multiplatform code, I have no idea how hard is to handle 2 way ssl.
Can someone help me understanding this better?
What would I have to do in order to get this done?
I have only two months, I'm an average student but I have no experience on mobile.