問題描述
這種 Google LVL 政策實施是否合理安全? (Would this Google LVL policy implementation be reasonably secure?)
The default ServerManagedPolicy that Google provides in their License Verification Library relies on the server responses to determine the license revalidation interval. This results in requiring a revalidation every few days, in perpetuity. This is not only a nuisance to users, it can be a serious problem for users who go extended periods with no connectivity. (We just had an inquiry from a user who expects to be without Internet connectivity for several weeks, which is what motivates this question.)
In summary, I'm looking for an algorithm that will accomplish two things:
- drastically reduce the connectivity requirements compared to
ServerManagedPolicy; - provide the same level of anti‑piracy protection.
In an answer to this question the suggested policy algorithm is to ignore the times provided in the response from Google's server and instead to use a LICENSED expiration period of about a month, with license checks being attempted every few days (to extend the expiration period if a LICENSED response is received).
While this approach partially addresses the first goal, it still requires users to be connected once a month while using the app, so it would not work for (at least one of) our users.
The following algorithm accomplishes the first goal, but I don't know about the second. Any comments pointing out weaknesses of this algorithm, or suggestions for another approach, would be welcome.
- On first run, do a license check and insist on a LICENSED response before providing full functionality. Once received, set a relatively short expiration period (but longer than the refund period that Google Play provides, currently 15 minutes). Also register a grace period of a few days beyond that.
- The app would start checking again after the license expiration period. If it failed to connect (airplane mode, etc.), it would still function until the expiration of the grace period.
- After expiration of the grace period, insist on a second LICENSED response before allowing normal app functioning.
- After receiving the second LICENSED response, permanently enable all features of the app and never bother checking again.
- If an UNLICENSED response is received at any point, permanently disable full functionality. (The user can, of course, revert to step 1 by deleting all app data.)
Additional points:
- A suggestion was made to forgo the first license check and wait until the expiration of the return period before doing a license check. The purpose of insisting on the first LICENSED response is to prevent the exploit where, after a license check fails, the user simply stops the app process, clears the app data, and restarts the app. (The app provides value even if usable for only 15 minutes at a time.)
- The purpose of insisting on a second LICENSED response is to get around the buy‑run‑backup‑return‑restore exploit.
- I'm not asking whether call‑back license checking is a good idea or not (that's what Google offers in place of their deprecated copy protection mechanism). I'm also well aware that no anti‑piracy protection is foolproof and Google's entire licensing mechanism can be circumvented (in which case all questions about design of a policy algorithm are irrelevant). The main point of this question is the relative risks (to us) and benefits (to the user) of the above algorithm as compared to other policies (such as the
ServerManagedPolicy).
‑‑‑‑‑
參考解法
方法 1:
In regards to piracy, there's always going to be a risk, nothing you do will prevent it completely.
As opposed to other risks, you risk upsetting your customers with an app they can't use.
I would expect a lot of 0* reviews from unhappy customers who can't even use an application they paid for as it's been disabled, whereas the people who got the app for free will likely have no interruptions. It's like buying a dvd and getting your face full of copyright warnings, when the pirates receive uninterrupted viewing.
I would insist on a licensed response when purchasing the app, and not bother with the second response. If someone can find their way around one response, they will find their away around the second.
Edit: I agree with kcoppock that a licensed check 20 minutes after purchasing would cause the least interference to customers and avoid the refund bug you've mentioned