Software License Enforcement of a native SDK for Android 7.0+
36 views
Skip to first unread message
Josh Klontz
Oct 27, 2016, 9:50:53 PM10/27/16
to android-platform, bre...@rankone.io
Our company sells a native SDK for Android that is licensed on a per-device basis. For all of our supported operating systems (Windows, OS X, Linux, and Android up to version 7.0) we use the MAC address to sign a license file for the individual device. For Android we had been obtaining this address from `/sys/class/net/{wlan0,eth0}/address`, but no longer can due the the loss of read permission to this file.
What is the recommended path forward for us? Our requirements are:
1. License our native SDK on a per-device basis with a reasonable
level of security.
2. Applications should be able to use our SDK without internet connectivity.
What is the recommended path forward for us? Our requirements are:
1. License our native SDK on a per-device basis with a reasonable
level of security.
2. Applications should be able to use our SDK without internet connectivity.
I've consulted https://developer.android.com/training/articles/user-data-ids.html and it seems like the only plausible approach is to obtain ANDROID_ID through a JNI call and assume the application calling into our SDK has READ_PHONE_STATE permission. Is the recommended approach? The confounding factor is that we also ship a set of native command line tools that accompany our SDK (used from the adb shell). How would such an executable obtain READ_PHONE_STATE permission in this case?
I also looked into the DRM API but it doesn't seem designed for this use case as we have no data to decrypt.
All of this is quite complicated and it would be great if the NDK offered a function to obtain a persistent unique identifier. I had originally posted the above question to android-ndk group for this reason, but it was rejected and suggested that I post here instead.
Thank you in advance.
Thank you in advance.
AppCoder
Oct 28, 2016, 10:53:50 PM10/28/16
to android-platform, bre...@rankone.io
I've consulted https://developer.android.com/training/articles/user-data-ids.html and it seems like the only plausible approach is to obtain ANDROID_ID through a JNI call and assume the application calling into our SDK has READ_PHONE_STATE permission. Is the recommended approach? The confounding factor is that we also ship a set of native command line tools that accompany our SDK (used from the adb shell). How would such an executable obtain READ_PHONE_STATE permission in this case?
Ugh. Technically possible, but ugly hack follows.
Create a long running service in your app that can get the magic ID (and put up the long running notification.)
Have it listen on a socket to respond to requests from the command line tools.
Have the command line tools request the ID from the long running service.
Alternately have your SDK save the magic ID somewhere your command line apps can read (preferably with some
permission or encryption or something at the time they do the license registration?)
Both are horrid (ID resets on factory reset, and keeping the file safe is a bother) but if you have to ship, you have to ship.
Reply all
Reply to author
Forward
0 new messages