PiracyChecker fails to check whether the app is installed from Google Play Store.

javiersantos / PiracyChecker

An Android library that prevents your app from being pirated / cracked using Google Play Licensing (LVL), APK signature protection and more. API 14+ required.

Apache License 2.0

1.55k stars 174 forks source link

PiracyChecker fails to check whether the app is installed from Google Play Store. #78

Open adamvarhegyi opened 5 years ago

adamvarhegyi commented 5 years ago

Hi,

I'm using 'com.github.javiersantos:PiracyChecker:1.2.3' because my app is not yet integrates AndroidX.

I have numerous reports from user reviews in my app's Google Play page that they have installed the app from the Google Play Store, yet they getting the piracy warning message.

Here are some examples:

whatisgoingon

I also got a user report via email:

mail

I use the piracy checker like this:

    public static void showPiracyActivityIfNeeded(final Activity activity) {
        if (!BuildConfig.DEBUG) {
            //Releaseb build, piracy check.
            new PiracyChecker(activity)
                    .enableInstallerId(InstallerID.GOOGLE_PLAY)
                    .callback(new PiracyCheckerCallback() {
                        @Override
                        public void allow() {
                        }

                        @Override
                        public void dontAllow(@NonNull PiracyCheckerError piracyCheckerError, @Nullable PirateApp pirateApp) {
                            Intent intent = new Intent(activity, PiracyWarningActivity.class);
                            activity.startActivity(intent);
                            activity.finish();
                        }
                    })
                    .start();
        }
    }

My app have 4k reviews and only 3 of them are like this, but I don't know the exact user count because there could be users who don't comment about this issue.

What is going on?

Thanks in advance.

avipars commented 4 years ago

Is it possible that these downloads aren't legitimate?

adamvarhegyi commented 4 years ago

Is it possible that these downloads aren't legitimate?

I don't think so. They wouldn't complain that way.

goldfish07 commented 4 years ago

Note: piracy check require internet connection for once to save isregestered value in SharedPreference;

your user getting this issue cause

they may clear data of app and then reopen it without internet connection which show not licensed message

possibilities can be many ,what if OS denied app not to use internet connection

solution you can ask user to enable internet connection to check license

if OS Network related issue put network security config in manifest

<application android:networkSecurityConfig="@xml/network_security_config">

then in res->xml create network_security_config.xml

and put

<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config>

adamvarhegyi commented 4 years ago

put network security config in manifest

<application android:networkSecurityConfig="@xml/network_security_config">

then in res->xml create network_security_config.xml

and put

<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config>

Okay... but why? What is this needed? What is this doing?

Ah okay I see you edited your answer. I'll try this.

goldfish07 commented 4 years ago

have you seen my edited answers ?

tzmm commented 4 years ago

Leaving this for posterity in case it helps anyone:

When we detect that the app wasn't installed from the Play Store, we pop-up a dialog that gives the user two options:

Redirect them to the Play Store to reinstall from there.
Contact support

When they contact support we open an email dialog and fill in some details to help understand what's going on, including the installing package name.

Generally these are people who are confused, and think they're installing from the right place, but inevitably, they'll have installing packages including:

ru.. com.apkpure.aegon com.lenovo.anyshare.gps cn.xender etc...

Not saying we're not getting false positives, but we're definitely seeing a good number of support calls from people who think they've done the right thing.

I suspect the ru.. ones could be an official Play Store app replacement in Russia, but we're getting tons of installs from Russia so it's not clear to me if this is an official channel or not.

adamvarhegyi commented 3 years ago

After adding the network security config to the manifest, I thought this case was solved. I didn't met it for a long time until today. This lib still fires false positives and I'm thinking about completely removing it. This was it does more harm than good.

By the way, one question:

When they contact support we open an email dialog and fill in some details to help understand what's going on, including the installing package name.

How do you get the installer id? If I can get the installer id I could just check whether it is the same as the Google Play store and that's it? I have my own piracy checker?

Thanks in advance.

@tzmm

grill2010 commented 3 years ago

Same problem on my side. I have two apps on the store which are using piracy checker and sometimes users are complaining that they receive this message even though the have installed it from the store (I checked their order id and they were legit downloads). I really don't know why this is happening but it seems it's hard to reproducer and it's probably a hidden error which is in the project for a long time already.