How can we stop people stealing ours apps?

[davefinney]

I have an app on Google play here: https://play.google.com/store/apps/details?id=scr.avgspdcamapp

My app appears to have been stolen several times, eg here: https://es.downloadatoz.com/tasca-the-avg-spd-cam-app/scr.avgspdcamapp/

It seems that they've taken my app, added ads and maybe other money-making coding, and made it available on their websites.

How can we prevent this happening?

[Netpower8]

That is really an issue. Did you try to downloadn and check out what they did on your app? And check if its really your app or just a website to lure others in downloading their app to infiltrate users device (trojan)

[davefinney]

No Np8, I have not downloaded any of the copy versions and there are several, I just gave 1 example. Maybe I should try downloading to find out?

It's either not my app at all, just malicious software,

Or it is my app, with ads and other stuff.

Either way, they've used my description from Google app, my images and even my app id and version!

If it is my app, it's the most brazen theft, no attempt at all to hide it!

[Steve Garman]

No Dave, if it's not on Google play I don't recommend downloading it.

What makes you think they added ads?

These sites often either just download a copy of your apk or just link to the playstore.

However, some host pirate or fake versions of some apps and you can never be sure which apms are safe.

[davefinney]

Hi Steve,

I think they've added ads because there aren't any ads in my app and their site says "Buy offers in the application      yes".

I have downloaded 1 of them, it says it's an APK and it's a bit larger than my app (as expected).

The APK doesn't scan as virus.

I'll try installing it later.

[Netpower8]

Be careful. Install it on a non essential device (or new or factory reset device) that has no personal information.

[Manuel Lopes]

Netpower8

sorry oftopic i can mot know how send and receive pm, is possible with droidscript make a app to decode and encode ,br broti?if yes is possible contact you or post here if permited of course , thanks

[Dave]

Unfortunately there is not much we can do about these 'alternative' app stores :(

Most of them simply run a process to extract APKs and app information automatically from the Play store and then present the same APKs on their own dodgy stores. The worst kind go further and attempt to automatically disable purchasing code and/or inject advertising and malware.

That's why you should never install APKs from these sites.

[Dave]

I guess if these sites tend to inject advertising materials into the APK/assets folder, then we could detect that by scanning for the number and/or size of internal assets at startup and refuse to run if that size is incorrect.

Perhaps someone needs to investigate the modus operandi of these sites..... 

.... but as mentioned earlier on this thread be very careful when doing this and make sure you have a device that has not personal data on it and do not use your normal google logins/emails.

[davefinney]

Good news:

The APK was not my app, it was their app store.

My app, with my description, images, and version etc, is in their store but not available yet.

I don't know why they claim to have it.

Thanks all for advice, their app does demand serious permissions which must not be accepted on a phone with any personal details on there.

Eg that their app demands GPS, so the site owners can know your location (ie address).

Perhaps google could put a key into each app.sold via them.

when the app is installed, it sends a device key back to google,

and google then activates that app on that device.

The app installed on any other device wouldn't run.

I don't know what security google has but do we think app security is strong enough or should we add something ourselves into our apps?

[Netpower8]

Adding something ourselfd helps until google can do something. But there will always be a work around. Nothing is unbreakable.

[davefinney]

Would app.CheckLicense( key ) prevent theft of our apps?

From here: https://symdstools.github.io/Docs/docs/app/CheckLicense.htm

It says " If the App is not licensed it will show a dialog asking them to purchase the App from Google Play and then close the App. "

Are there any examples of how to use CheckLicense, eg does it simply need to be put in OnStart as the 1st line?

Does the app then need internet access to verify the code just once, or everytime the app starts?

If there's no internet, will the app close and annoy legitimate users?

And how can we test that it works before going live?

[Dave]

You can use app.CheckLicense() to check if a user has purchased your app through Google Play.  Google Play will cache the purchase for a given number of days (depending how you configure it), so it will work even if the user is off-line.    You can test it before going live using Googles demo license keys and you can force a license rejection or accept for a particular user email address from the Google Play Developer console.

However... I would recommend using IAP (In app purchasing) instead, as not many people are willing to pay up-front for apps these days without trying them first. You need to be DS Premium to use it but there is a sample inside DS for premium users called "In-App Purchasing"

Here is the sample:-

/*

 In-App purchasing sample - 

 This sample demonstrated how to query a user's purchased Google Play items,

 please see the following link for more information:-

 

 http://developer.android.com/google/play/billing/index.html

 Notes: If your email address is listed in the 'licence testing' section of the

 developer console settings page, any purchases you make will not be charged. 

*/

//Set to "IAP" or "SUBS"

var mode = "IAP"

//Change this list to your own product id's.

var products = "plugin_apkbuilder,plugin_spheroball,subs_premium1";

var productId = "plugin_spheroball";

    

//Called when application is started.

function OnStart()

{

//Create a layout with objects vertically centered.

lay = app.CreateLayout( "linear", "VCenter,FillXY" )

//Create an 'info' button.

btnInfo = app.CreateButton( "Get Store Info", 0.5, 0.1 )

btnInfo.SetOnTouch( btnInfo_OnTouch )

lay.AddChild( btnInfo )

//Create a 'purchases'  button.

btnPurch = app.CreateButton( "Get Purchases", 0.5, 0.1 )

btnPurch.SetOnTouch( btnPurch_OnTouch )

lay.AddChild( btnPurch )

//Create a 'buy'  button.

btnBuy = app.CreateButton( "Buy", 0.5, 0.1 )

btnBuy.SetOnTouch( btnBuy_OnTouch )

lay.AddChild( btnBuy )

//Create a text control to show results.

txt = app.CreateText( "", 0.9, 0.5, "Multiline,Left" )

txt.SetMargins( 0,0.1,0,0 )

txt.SetTextColor( "#ffffffff" )

txt.SetBackColor( "#ff222222" )

lay.AddChild( txt )

//Add layout to app.

app.AddLayout( lay )

//Create a playstore object.

playStore = app.CreatePlayStore()

}

//Called when user touches our 'Info' button.

function btnInfo_OnTouch()

{

    //Get product info from Google Play.

    //(Only paid items will be listed)

    playStore.GetBillingInfo( products, OnStoreInfo, mode )

}

//Show Play Store prices.

function OnStoreInfo( items )

{

    txt.Log( "Prices:" )

    for( var i=0; i<items.length; i++ )

    {

        txt.Log( "ProductId = " + items[i].productId )

        txt.Log( "Price = " + items[i].price )

    }

}

//Called when user touches our 'Purchases' button.

function btnPurch_OnTouch()

{

    playStore.GetPurchases( OnPurchases, mode )

}

//Show user's purchases.

function OnPurchases( items )

{

    txt.Log( "\nPurchases:" )

    for( var i=0; i<items.length; i++ )

    {

        txt.Log( "ProductId = " + items[i].productId )

        txt.Log( "Purchased = " + (items[i].purchaseState==0) )

    }

}

//Buy an IAP item.

function btnBuy_OnTouch()

{

    playStore.Purchase( productId, "MyToken", OnPurchased, mode )

}

//Handle completed purchase.

function OnPurchased( prodId, orderId, purchToken, devToken, packageName )

{

    console.log( prodId +" "+ orderId +" "+ purchToken )

    app.Alert( "Item purchased!", "My App" )

}

[davefinney]

Thanks Dave, I'll look into that.