如何防止应用程序被盗(针对Android应用程序)?
我想知道防止人们窃取我的应用程序的最有效方法是什么(在线下载 .apk 的副本而不是购买它)。
我在其中一个(Droidbox)上花费了很多时间,并且在我可以保证提供专业版非法副本的人无法。
有人实施过这个吗?我尝试检查我的包签名和未签名副本的签名,但它似乎是相同的 - 也许我在这里做错了什么。我不确定人们是否真的分发了签名的 .apk,在这种情况下,我认为签名验证一开始就不起作用...
请注意,这个问题特定于 Android Marketplace 应用程序 -不同的是,应用程序交付不在我的掌控范围内,我无法将合法购买和非法下载联系起来。
I was wondering what the most effective way of preventing people from stealing my application (downloading a copy of the .apk online rather than buying it).
I've spent a lot of time on one in particular (Droidbox) and won't be releasing Sync until I can guarantee that the people who are providing illegal copies of the pro version aren't able to.
Anyone implemented this? I've tried checking my package signature verses an the signature of an unsigned copy but it appears to be the same - perhaps I'm doing something incorrectly here. I'm unsure whether people actually distribute the signed .apk in which case I don't think signature validation would work to begin with...
Please note, this question is specific to Android Marketplace Applications - the difference being, application delivery is out of my hands and I have no way of linking between a legitimate purchase and an illegal download.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
我有同样的问题。我最近发现许多付费应用程序可以在此网站上免费下载:https://dlandroid.com/
我要求他们删除我的应用程序 APK,但我确信还有许多其他类似的网站。据推测,他们有一部 root 后的手机,可以从 Google Play 获取该应用程序的一份有效副本,然后将其上传到他们的网站上,免费分发给所有人。
您可能会花费大量的时间来确保网络上没有您的应用程序的盗版副本,或者实施复杂的盗版保护措施,这很可能会给您的真正付费用户带来不便。但我想最终,你必须做好权衡的准备,接受一定程度的损失是不可避免的,并希望大多数人是诚实的,通过正确的渠道获取你的应用程序,而不是冒着感染恶意软件的风险去像这样的狡猾的网站。
I have the same issue. I recently found a number of my paid apps available for free download on this site: https://dlandroid.com/
I asked them to remove my app APKs, but I'm sure there are many other similar sites. Presumably they have a rooted phone which gets one valid copy of the app from Google Play, then uploads it onto their web site to distribute to all and sundry for free.
You could spend endless amounts of time ensuring that there are no pirated copies of your apps on the web, or implementing complex piracy protection measures, which would most likely make things less convenient for your genuine paid users. But I guess in the end, you have to be prepared to make a trade-off and accept that a certain level of loss is inevitable, and hope that most people are honest and get your app through the proper channels rather than risk malware infection by going to dodgy sites like this.
现在可以使用新的 Google 应用程序许可。有关更深入的信息,请阅读 Android 开发者博客。
简短摘要:Google 提供了一个库,可以在电话上向市场客户端进行进程间调用。然后,市场客户端将询问谷歌服务器登录用户是否购买了该应用程序并将此答案转发给您。您的开发人员配置文件中应该有一个公钥,您需要用它来加密与谷歌服务器的连接,以防止欺骗答案。您还可以为查询提供应用程序和设备的唯一 ID,以便无法将批准的查询转发到另一台设备,并构建类似许可代理的东西,其中购买的副本将 IS LICENSED 答案转发到其他设备。
目前,这项服务看起来足够安全,甚至可以保护市场上更有价值的应用程序。我会尝试一下,也许在使用了一点之后会回来留下更多信息。
如果您的应用程序非常受欢迎,例如 EA 游戏或其他游戏,这并不能阻止用户破解它。要破解该应用程序,必须有人购买它,然后解压缩 apk,并编辑应用程序的字节码,以认为市场会发送正确的答案。新的字节代码可以打包到另一个 apk 中,并可以安装在每部允许侧面加载的手机上。
为了让这个变得更难,你总是可以尝试混淆你的 apk 并使你的字节码难以理解。
Now there is the new Google App Licensing available. For deeper information read about it in the android developer blog.
A short summary: Google provides a library that makes a inter process call to the market client on the phone. The market client will then ask the google servers if the signed in user has purchased the app and forward this answer to you. There should be a public key in you developer profile that you need to encrypt the connection to the google server to prevent spoofing of answers. You also provide a application and device unique id with the query to make it impossible to forward approved queries to another device and build something like an licensing proxy with one bought copy forwarding the IS LICENSED answers to other devices.
At the moment this service looks secure enough to protect even the more valuable apps in the market. I will give it a try and maybe come back and leave some more informations after I used it a little bit.
If your app is really popular like an EA game or something this wan't stop users from hacking it. To hack the app somebody has to buy it, then unzip the apk, and edit the bytecode of your app to think that the market send a correct answer. The new byte code can be packed into another apk and can be installed on every phone that allows side loading.
To make this harder you can always try to obfuscate your apk and make your bytecode hard to understand.
通过市场,应用程序买家和开发者之间有一个单一且有用的联系,即 Google 提供的用于联系买家的转发电子邮件地址。
利用集成回调设置将购买信息发送到您自己的服务器,您可以使用 PHP 通过电子邮件向购买者发送唯一标识符(注册码)(在购买期间从 google 发送回调时实时发送)。然后用户使用此电子邮件使用唯一标识符注册他们的软件,然后将其链接到他们的 Android ID(或 Google 帐户用户名),并且该软件被“激活”并保证合法 .
明显的问题
当需要用户阅读电子邮件时,为什么这是一个合适的解决方案?我们的市场是那些能够使用 Android 设备购买应用程序的人。 ,这意味着用户有一个 google 帐户,这意味着他们知道如何使用电子邮件。
如何在我的申请中使用带有唯一标识符的电子邮件?在您的应用程序中创建一个内容处理程序,用于处理“myactivator://uniqueid-or-something”之类的内容,这会导致您的应用程序与内部服务器进行通信,以密切关注激活情况。将此作为链接嵌入到电子邮件中,用户可以点击该链接。
我应该如何生成唯一标识符?我将以某种方式使用该电子邮件 - 我相当有信心 Google 已经使其足够独特,以禁止任何可行的联系信息销售方法。
那些已经购买了该软件的人怎么办?这里有很多选择 - 没有一个是理想的或糟糕的。
为什么要麻烦?
因为我们中的一些人放了很多<将时间投入到应用程序中并说“你应该接受盗版”简直是一记耳光。
There is a single, useful connection between an application buyer and the developer through the marketplace, the forwarding email address provided by google to contact the buyer.
Utilizing the integration callback setting to send buy information to your own server, you can use PHP to send a unique identifier (registration code) to the buy via email (real time as the callback is shipped from google during a purchase. The user then uses this email to register their software using the unique identifier that is then linked to their android ID (or google account username) and the software is "activated" and guaranteed to be legitimate.
Obvious Questions
Why is this a suitable solution when it requires the user to read email? Our market are those people who are capable of buying an application using an android device. By using an android device, it is implied that the user has a google account which implies they know how to use email.
How do I use the email with the unique identifier with my application? Create a content handler in your application that handles something like "myactivator://uniqueid-or-something" which causes your application to communicate to your internal server that keeps tabs on activations. Embed this as a link in the email that the user can click on.
How should I generate the unique identifer? I'm going to use the email somehow - I'm fairly confident google has already made it unique enough to disallow any feasible method of contact information selling.
What about people who have already purchased the software? A lot of options here - none ideal or terrible.
Why bother?
Because some of us put a lot of time into applications and saying "you should just accept pirating" is a slap in the face.
那些粗心大意地使用您的应用程序的盗版副本来访问他们的 DropBox 的人很可能正在使用他们的 DropBox 进行盗版。忘记那些人吧。让他们走吧。是的,我打赌有很多人,但让我们面对现实吧,这些人无论如何都不会付给你任何钱。专注于你可以控制的部分,忘记其余的。
重点关注使用 DropBox 进行工作、业务、自己的代码、财务、论文和/或私人家庭照片的 Android 用户。其中 95% 的人在他们的 DropBox 中拥有一些有价值的东西,并且希望将其保密,他们会想要购买您的应用程序(假设它对他们来说足够好)。
让我打个比方:
当谈到雇用一名锁匠来给你的家装锁时,你会雇用一个看起来很合适并且时薪 150 美元的人,还是会雇用一个愿意向你出售锁的阴暗家伙。被偷的锁放在你的前门上?
The people that are lax enough to use pirated copies of your application to access their DropBox are probably using their DropBox for piracy anyway. Forget those people. Let them go. Yes, it's a huge number of people I bet, but let's face it, those people were never going to pay you anything anyway. Focus on the parts that you can control, and forget the rest.
Focus on the Android users that use DropBox for their work, for their businesses, for their own code, for their finance, for their thesis, and/or for their private family pictures. 95% of those people, that have something of value in their DropBox, and that want it kept private, are going to want to buy your application (assuming it's good enough for them).
Let me use this analogy:
When it comes to hiring a locksmith to put a lock on your home, do you hire the guy that looks the part and takes $150 an hour, or do you hire the shady guy that is willing to sell you a stolen lock to put on your front door?
在最知名的论坛中发布您自己的非法副本,并让它在一周后自行禁用,并显示一条消息,例如“
感谢您的盗窃...”我以编写此应用程序为生。 x 美元不会伤害您,我可以在下一顿饭之前继续为您提供精彩的更新。
我认为这是你唯一能做的事情。人们总会找到一种方法来复制您的应用程序,而所有对策只会干扰为该应用程序付费的用户。
复制您应用程序的人不是您的客户,而且永远不会是您的客户。只需将他们对该计划的使用视为一种病毒式营销即可。至少他们正在谈论您的应用程序,也许他们的一些朋友会购买该应用程序。
Release your own illegal copy in the best known forums and have it disable itself after a week and showing a message like
Thanks for stealing... I make my living with programming this app. The x Dollar won't hurt you and I could by my next meal and go on making great updates for you.
I think this is the only thing that you can do about it. People will always find a way to copy your app and all countermeasures will only disturb the users that paid for the app.
The people copying your app aren't your customers and they never will be. Just see their use of the program as a kind of viral marketing. At least they are talking about your app and maybe some of their friends will then buy the app.
此处的一般共享软件建议 - 将软件许可给个人。即提供根据其用户名个性化的许可证密钥。如果钥匙上有他们的名字,他们就不太可能分发钥匙。您也许可以自动化订单的后端履行,以提供自定义密钥。让您的“Pro”版本在试用模式下运行,直到输入名称/密钥。
General shareware advice here - license the software to the individual. i.e. provide a license key that is personalized to their username. They'll be much less likely to distribute a key if it's got their name on it. You can probably automate the backend fulfillment of the order, to provide custom keys. Have your "Pro" version operate in trial mode until the name/key are entered.
不要离开您的计算机,以免有人从那里窃取您的应用程序。
或者等等..您的意思是您不希望其他人复制您的软件吗?那么.. 首先不发布它可能是您最好的选择。
一些相关链接: http://news.cnet.com/8301-27076_3 -20003120-248.html
你们也没有任何机制来估计非法复制软件的数量。享受你阻止雨的尝试,即使比你更大的实体尝试过但失败了。
Don't leave your computers so that someone can steal your applications from there.
Or wait.. Did you meant you don't want others to copy your software? Then.. not publishing it in the first place is likely your best option.
A bit related link: http://news.cnet.com/8301-27076_3-20003120-248.html
You neither have any mechanism to estimate amount of illegally copied software. Enjoy your attempts from stopping the rain even though entities bigger than you have attempted and failed.
有一个新工具似乎是真的:
来自 Keyes Lab 的自动应用程序许可。
我还没有尝试过,但如果这有效的话,听起来就像你想要在高价 Android 应用程序中使用的东西。
如果有人测试过请发表评论或编辑我的答案并提供个人反馈。
There is a new tool in the wild that seems to good to be true:
Automatic Application Licensing from Keyes Lab.
I haven't tried it yet but if this works it sound like something you want to use in your high priced android apps.
If anybody tested it leave a comment or edit my answer with personal feedback.