本文是小编为大家收集整理的关于用服务器请求防止安卓盗版的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。
问题描述
我正在研究需要服务器做大部分繁重升降的应用程序.我想防止盗版客户向该服务器发送请求.有没有办法向请求发送一些标识符,使得我的服务器可以要求Android市场如果具有该ID实际购买该应用程序的人?我怎么样做这件事?
请注意,只需使用LVL保护应用程序,因为人们可以相当轻松地将应用程序写入与服务器的接口,并且仍然提供与付费应用程序相同的功能.
推荐答案
首先:在您控制下方的设备上运行的任何内容(如您的情况下的Android设备),没有100%的安全性.
您可以通过几种措施使"滥用"更加努力:
- 在成功登录后发出随机会话密钥(加密安全),其中一个时间限制,所以在一定时间通过 后,需要发生新的登录名
- 为每个通信步骤发出随机交互密钥(加密安全),该步骤在一个用法之后无效
- 当AcceeL登录发生时终止与在登录之前可能处于活动状态的相同凭据关联的任何其他会话
- "油门"用法,即限制允许每分钟/小时或类似的呼叫数量(可能是不可能的,具体取决于特定应用)
如果您真的很想使其很难您可以发出特定于设备的客户端证书(当客户端购买您的应用程序时)并使用基于证书的客户端身份验证(在SSL标准中定义) - 您可以使证书无效如果您在其他设备的合法用户看到滥用的情况下,请与设备相关联...
其他推荐答案
从我的解决方案中取自此帖子 Android游戏一直被黑客攻击
实现自己的许可库
我还会通过Google I/O 2011 YouTube录制查看这一点:
编辑:
演示文稿注意到从逃避海盗和停止吸血鬼
一些基本关键点
- 修改lvl
- 实现 lvl篡改电阻
- 使用 obfuscation
- 添加反射
演示说明包含基本示例和修改方向.在YouTube视频中,有关于服务器端认证的讨论以及如何与盗版和资产下载等方式.无论你如何选择如何接近解决方案.
问题描述
I'm working on an application that requires a server to do most of the heavy lifting. I want to prevent pirated clients from sending requests to that server. Is there a way to send some identifier with the requests so that my server can ask the Android Market if someone with that id actually bought the app? How would I go about doing that?
Note that just protecting the app with LVL won't work, because people could fairly easily write an application to interface with the server and still provide the same functionality as the paid app.
推荐答案
First: There is no 100% security for anything you run on a device that is not under your control (like Android devices in your case).
You could make "abuse" harder by several measures:
- issue a random session key (cryptographically secure) after a successfull login with a time-limit so a new login needs to happen after a certain time has passed by
- issue a random interaction key (cryptographically secure) for every communication step which gets invalidated right after one usage
- when a successfull login happens terminate any other session associated with the same credentials that might be active before that login
- "throttle" usage, i.e. limit how many calls per minute/hour or similar are allowed (might be impossible depending on the specific application)
IF you really really want to make it very hard you can issue a device-specific client-certificate (when the client buys your app) and use cert-based client authentication (defined in SSL standard) - you can invalidate the cert associated with the device if you see abuse without harm for the legitimate users of other devices...
其他推荐答案
Taken from my solution from this post Android Game Keeps Getting Hacked
Implement your own licensing library
I'd also refer you to check out this from Google I/O 2011 YouTube recording:
Evading Pirates and Stopping Vampires
EDIT:
The Presentation Notes from Evading Pirates and Stopping Vampires
Some basic keypoints
- Modify the LVL
- Implement LVL Tamper Resistance
- Use obfuscation
- Add reflection
The presentation notes contain basic examples and direction for modification. In the youtube video though, there is discussion of server side authentication and how it relates to piracy and asset downloads etc. Specifically using a License Server, In App Billing and App Engine. But a good basis to learn from no matter how you choose to approach a solution.
更多相关问答
联系站长