How Can I Control The Usage Of A Custom Jar Library?

I need a way to essentially secure my jar library to allow registered apps to use it in their projects and deny usage to apps that weren't approved by me. It is fine if I hard code

Solution 1:

To me the best approach if you would like your library to stay standalone (without involving the network for checking or downloading pieces of the library, I mean) would be to make mandatory the use of an initializer class that would receive a token from the client application.

This would be crackable as the token validity test would be performed by your lib: one may modify the lib in a way is would just skip that test, but this would be made harder by the obfuscation. But this is probably sufficient, unless using your lib without having registered it is a really critical issue.

• So you would have something like:

  boolean Initializer.initLib(String passcode)  
  

That would prevent the lib to work unless passcode is correct.

You can make the obfuscation more efficient by avoiding checking that way:

publicvoidinitLib(String passcode) {
    if (passcode == A_GIVEN_PUBLIC_STATIC_THAT_STORESTHE_CODE) {
         // do the proper initializations 
    }
    else {
         thrownewRuntimeException("Bad passcode, sorry!");
    }
}

But doing that way instead:

publicvoidinitLib(String passcode){
    finalchar[] PASS_ENCRYPTED  = "f5uhjgf56ik8kv214d5".toCharArray();
    finalchar[] PASS_MINUSMASK  = "bc".toCharArray();
    finalint    PASS_SHIFT      = 11;
    finalint    PASS_MASK_MINUS = 2;

    for (int ctr = 0; ctr < PASS_MINUSMASK.length; ++ctr) {  
        finalchar next = PASS_ENCRYPTED[PASS_SHIFT + ctr - PASS_MASK_MINUS];

        if (passcode.charAt(ctr) != next - (PASS_MINUSMASK[ctr] - 'a')) {
            // make the lib unusable by some inits. But it should look as a proper initializationreturn;
        }
    }    

    // make the lib usable by some inits.
}

This looks stupid, but if you have a look at the obfuscated code, you will see a big difference. This code is just an example (it accepts "hi" as a valid passcode), any algorithm would be fine as long as its obfuscated version is not too straightforward to reverse.

• Now the question is: what passcode?

As the library's protection concerns the developpers of the client apps that will use it, and not the final users of these apps, you cannot rely on any piece of data specific to the devices on which the applications will run. So no IMEI or anything like that.

If these developpers are trustworthy that's fine. A fixed passcode is sufficient.

But if they are subject to give this passcode to other people to allow them using your library, this is more difficult. In this case I don't think you can solve it without a real "industrial" process such as registering the client apps and their code checksums, for example. Such a process needs a specific design and cannot be solved "just by the code", but as it also has a cost (time, resources, involvment of the client...) you can only consider this if the use of library is very critical.

Solution 2:

Can't you make your jar call your server with a specific code and the application name, to check if they are registered ?

Solution 3:

When you build an Android app with a jar, that jar is compiled into the app and becomes a part of it. You can't just copy the jar out of the package and use it elsewhere. Unless I'm not understanding the question, this shouldn't be an issue you need to worry about.