android - Google in app purchase and cracking -

-

i developed app that's become popular , cracked it. know if know, first of all: how?, if know workaround avoid this. app using in-app purchase per google example unlock premium features in way:

 private iabhelper mhelper;          if (!ispro(getactivity())) {             mhelper = new iabhelper(getactivity(), kkk);             mhelper.enabledebuglogging(true);             mhelper.startsetup(new iabhelper.oniabsetupfinishedlistener() {                 public void oniabsetupfinished(iabresult result) {                      if (!result.issuccess()) {                         return;                     }                      // have been disposed of in meantime? if so, quit.                     if (mhelper == null) return;                      // iab set up. now, let's inventory of stuff own.                     mhelper.queryinventoryasync(mgotinventorylistener);                 }             });         }      iabhelper.queryinventoryfinishedlistener mgotinventorylistener = new iabhelper.queryinventoryfinishedlistener() {         public void onqueryinventoryfinished(iabresult result, inventory inventory) {              // have been disposed of in meantime? if so, quit.             if (mhelper == null) return;              // failure?             if (result.isfailure()) {                 return;             }              purchase pro = inventory.getpurchase(pro_string);             settingsprovider.putsecboolean(getactivity(), "pro", pro != null && verifydeveloperpayload(pro));         }     };      iabhelper.oniabpurchasefinishedlistener mpurchasefinishedlistener = new iabhelper.oniabpurchasefinishedlistener() {         public void oniabpurchasefinished(iabresult result, purchase purchase) {             if (mhelper == null) return;              if (result.isfailure()) {                 return;             }              if (purchase.getsku().equals(pro_string)) {                 settingsprovider.putsecboolean(getactivity(), "pro", true);             }         }     };      boolean verifydeveloperpayload(purchase p) {         string payload = p.getdeveloperpayload();         return true;     }      @override     public void ondestroy() {         super.ondestroy();         if (mhelper != null) {             mhelper.dispose();             mhelper = null;         }     }

and purchase process:

mpro.setonclicklistener(new view.onclicklistener() {         @override         public void onclick(view v) {             randomstring randomstring = new randomstring(36);             string payload = randomstring.nextstring();              if (mhelper != null) mhelper.flagendasync();             mhelper.launchpurchaseflow(getactivity(), pro_string,                     iabhelper.item_type_inapp, rc_request,                     mpurchasefinishedlistener, payload);         }     });

ok, in someway cracked it. means content available in pro version free without paid. maybe can share experience , suggest way avoid this?

and also, know how can done? thanks

brief explanation

android applications quite easy crack. first of all, if not using obfuscation on code (proguard, dexguard, ..), code can read , understood using tools jd-gui. in cases, smali code pretty easy understand well.

the obfuscation won't save cracking. there de-obfuscators available on market, high pitched reverse engineering skill still able figure out how bypass (or google's) protection.

finally, there luckypatcher. perhaps famous tool cracking android apps' protection. targets types of protections (google's lvl, iaps, advertising networks, ..) , tries remove them on statistical basis. in fact, not guaranteed 100%, in vast majority of cases work fine.

how secure, then?

you can't. there no perfect 100% security, in mobile environment. can do, however, trying make cracker's work difficult possible.

a few ideas:

  1. always obfuscate. won't damage app (if configured correctly), , yet layer of protection code.
  2. use dexguard's tampering detection function. decrease chances app gets cracked 2 days after update released.

there few more, add them recall them all.


Comments

Post a Comment

Popular posts from this blog

c# - How to get the current UAC mode -

-
can check current uac type set in device before running application through c#. i got know approach check whether current user administrator or not. but, need know uac type set (i.e. default/never notify) internal logic. is possible? please help. this article self-elevation , checking level program runs in. due security reasons i'm afraid won't able retrieve uac level set. http://code.msdn.microsoft.com/windowsdesktop/csuacselfelevation-644673d3
Read more

postgresql - Lazarus + Postgres: incomplete startup packet -

-
i've been building lazarus pascal program using postgresql on back-end. used work fine following lines opening db. dbconn:= tpqconnection.create(nil); dbconn.hostname := 'localhost'; dbconn.databasename:= 'dbhrs'; dbconn.username:='mizk'; dbconn.password:='123'; dbconn.open; if dbconn.connected openhrsdb := true else openhrsdb := false; but moment change localhost server's ip (on lan), program stops. no errors or warnings. have no clue happening. here related details may narrow down problem. the program i'm running workstation on same lan server. both machines run ubuntu 12.04 desktop i can access postgres db on server using pgadmin iii, guess it's not firewall issue. i have allowed postgresql ufw , ufw disabled. strangely, when firewall disabled, can ssh server terminal using workstation. when it's enabled, can't my biggest concern right why pascal program not working when i...
Read more

javascript - Ajax jqXHR.status==0 fix error -

-
$.ajax({ url: urlstring, datatype: "json", type: "get", success: function (data) { alert(data); }, error: function (jqxhr, exception) { if (jqxhr.status === 0) { alert('not connect.\n verify network.'); } else if (jqxhr.status == 404) { alert('requested page not found. [404]'); } else if (jqxhr.status == 500) { alert('internal server error [500].'); } else if (exception === 'parsererror') { alert('requested json parse failed.'); } else if (exception === 'timeout') { alert('time out error.'); } else if (exception === 'abort') { alert('ajax request aborted.'); } else { alert('uncaught error.\n' + jqxhr.responsete...
Read more