Apps Securing Paid Apps

[tootdroid]

How do you, as a developer, secure a paid app in android market?

I am not asking for technical information but rather what is the information model between android market and the developer, such that the developer can automate registration and unlock the application?

If the app must implement registration, as it seems android market does not, how does the app know that the user has paid? I know google checkout supports dynamic information flow, but android market controls the checkout, so the developer does not have access to customer information during the checkout process, correct?

How does one verify a paid customer?

 

[xathras]

Hi There,
I would be interested to see what responses you'll get here, as I have interested in developing some apps which would go on the market as a paid for app.

Looking at Apps on what i've seen thus far on the market, it seems to be more of a HTTPS POST Form based solution that links to an external server to manage.

I had originally wonder on whether an SQL-Lite3 solution would be good. However, I had major concerns about security and the storage of the data.

Does anyone have any ideas out there?

 

[tootdroid]

Xathras,

I am not sure what you are asking or whether it relates to my question. If not, could you start a different thread, please?

In the solutions I am familiar with, the market app (blackberry app world, mobihand, etc) requests a key from the developer (or third-party) key server and supplies it to the paying customer automatically as part of the checkout process. In some cases, the customer does not have to install the key, because the market app installs the key automatically. In other cases, the customer has to copy and paste the key to unlock the developer's app.

In the key retrieval transaction, the market app provides unique customer information such as email and device ID for the key generation. For customer support issues the vendor (ie developer) can verify paying customers by that unique information. Also, the app running on the device, can request the same information to verify a paid instance.

I repeat my question. What is the android model for this type of information flow?

Please help.

 

[gorn]

It's really basic.

You post an apk to the market, select if you want it copy-protected or not.
A user buys your apk via google checkout. You can setup a https:// url for google to callback after a checkout. Google Checkout - Google Code
Then the customer gets an email with their order number. And you get some information on your google checkout accessible via their APIs. information is:
Order number
Item purchased (Application name)
Customer name
Customer city, state, zip, country
You also get a virtual email address to contact them.

The customer has 24 hours to refund their purchase.

 

[tootdroid]

Thanks, gorn.

The customer has to use Android Market from the device, correct? If so, does any of that customer information from google checkout include unique information that is also available to the paid app at runtime (eg device id)?

If not, I still do not see the lock/unlock hook for paid apps. The important point being that certain information is available to both the point of sale and to the paid application at runtime. The point of sale provides the key for the customer to store on the device. The paid app generates a matching key at runtime to compare with the stored key from the point of sale. Both have to use the same unique information.

 

[gorn]

The customer has to use Android Market from the device, correct?

Correct.

If so, does any of that customer information from google checkout include unique information that is also available to the paid app at runtime (eg device id)?

No. Purchases are supposed to carry between devices (when that user gets a new phone and sets it up with his same gmail the existing paid apps will show as downloadable). But Google really should (but doesn't) provide a way for apps to query the market's "purchased" status.