简体繁体 English

在Android上防止多个用户帐户（实际用户流）

[英]Preventing Multiple User Accounts On Android (Well User Streams Actually)

原文 2011-04-01 23:18:55 9 4 android/ security/ verification

So I have a unique security issue. 所以我有一个独特的安全问题。 (Well i think so anyways, but I may just not know what i am doing?) （好吧我反正这么想，但我可能只是不知道我在做什么？）

So the overall idea. 所以总体思路。 I want to make an app that sends a data stream to my server. 我想创建一个将数据流发送到我的服务器的应用程序。 I don't care at all about keeping that stream secure, it contains nothing important. 我根本不关心保持流是安全的，它没有什么重要的。 So don't think encryption. 所以不要认为加密。

Whats important to me is ensuring the validty of each stream. 对我来说重要的是确保每个流的有效性。 By validaty I mean, validating that each stream is actually coming from a unique hardware device running my app. 通过验证我的意思是，验证每个流实际上来自运行我的应用程序的独特硬件设备。

I have been looking around online about how to prevent users from creating multiple user accounts, everything from verification emails to verification texts. 我一直在网上搜索如何阻止用户创建多个用户帐户，从验证电子邮件到验证文本。 Those are all stopgap measures that take processing time and resources to impliment and only help limit the issue. 这些都是权宜之计措施，需要处理时间和资源，只能帮助限制问题。 (Its super easy to make multiple email accounts, and only slightly harder to get access to multiple phone number, and if you figure out the phone number thing its no harde to get a text forwarded to your own phone.) （它很容易制作多个电子邮件帐户，只有稍微难以访问多个电话号码，如果您弄清楚电话号码的事情，将文本转发到您自己的手机并不困难。）

One thought I have for this particular case is to involve a third party who has a definitive list that matches hardware ids to phone numbers, AKA the providers who actually service cell phones. 对于这个特殊情况，我有一个想法是让第三方有一个确定的列表，将硬件ID与电话号码相匹配，AKA是实际为手机提供服务的提供商。

So what would be awesome would be an API to allow the following action. 那么什么是令人敬畏的API将允许以下行动。 1. Person starts my app. 1.人开始我的应用程序。 2. App sends initial contact to my server. 2.应用程序将初始联系发送到我的服务器 (This will include user phone number) 3. My server receives this and queries the provider servers asking the provider server to query that particular phone number, ensuring it has a valid hardware ID to be on there network and that, that particular phone is running an instance of my app. （这将包括用户电话号码）3。我的服务器收到此信息并查询提供商服务器，要求提供商服务器查询该特定电话号码，确保其网络上有有效的硬件ID，并且该特定电话正在运行我的应用程序的一个实例。

I think a system like that would solve my issues, and be pretty foolproof. 我认为像这样的系统可以解决我的问题，并且非常简单。 Even if someone ripps off my app and installs an app with the same name on the phone to trick the system, i don't care, because that phone can still only send 1 data stream. 即使有人扯下我的应用程序并在手机上安装一个同名的应用程序来欺骗系统，我也不在乎，因为该手机仍然只能发送1个数据流。 And i think it would be almost impossible to create a hardware device to spoof an another phone on there network. 而且我认为创建一个硬件设备以欺骗网络上的另一部手机几乎是不可能的。 (Well maybe you could do it, but they would track ya down pretty fast.) （好吧，也许你可以做到，但他们会很快跟踪你。）

way to get around this would be to write a virus that infects other phones causeing them to respond incorrectly to the service provider request. 解决这个问题的方法是编写一个感染其他手机的病毒，导致他们对服务提供商的请求做出错误的回应。 While this is a possible hole, i feel safer knowning google and other companies will fight hard against such viruses to keep there systems reputation. 虽然这是一个可能的漏洞，但我觉得谷歌和其他公司会更加安全地对抗此类病毒以保持系统声誉。

Thoughts? 思考？ Suggests? 建议？ Keep in mind, all that matters is verifying that any incoming stream comes from a unique peice of hardware that is running my app. 请记住，重要的是验证任何传入的流来自运行我的应用程序的独特硬件。

(can you guess what my app is?) （你能猜出我的应用程序是什么吗？）

4 个解决方案

There was a post on the Android developer blog about this just last week. 上周，Android开发者博客上发布了一篇关于此事的帖子。

In short: ANDROID_ID is a good enough start, although it doesn't work reliably on all phones (especially older ones). 简而言之：ANDROID_ID是一个很好的开端，虽然它并不能在所有手机（尤其是旧手机）上可靠地工作。 If you want to support older phones, you could combine that with the IMEI as suggested above (but keep in mind that not all devices have an IMEI. WiFi-only ones, for example). 如果您想支持旧款手机，您可以将其与上述建议的IMEI结合使用（但请记住，并非所有设备都有IMEI。例如，仅限WiFi）。

Please read, not just trying to be a negative ninny. 请阅读，而不仅仅是试图成为一个消极的ninny。 I have a lot of experience with piracy I can tell you your efforts are futile. 我有很多盗版经验，我可以告诉你，你的努力是徒劳的。 Heres the deal, time spent on complicated piracy prevention is time wasted. 在这笔交易中，花在复杂的盗版预防上的时间浪费了。 If you sell it through the android market honest users will stay honest. 如果你通过Android市场销售，诚实的用户将保持诚实。 Who cares if I give it to my friend If it's a good app he will want updates and have to buy it cause I'm not got just keep copying the new version and emailing dropboxing etc... 谁在乎我是否愿意将它交给我的朋友如果这是一个很好的应用程序，他会想要更新并且必须购买它，因为我不会只是继续复制新版本并通过电子邮件发送邮箱等等...

Pirates are just gonna download the free copy so you are NEVER GOING TO GET THEIR MONEY LET IT GO!!! 海盗只是要下载免费副本，所以你永远不会得到他们的钱让它去！ It's like the girl who's attractive enough to have sex with but you don't like her as a person. 这就像那个有足够吸引力的女孩，但你不喜欢她作为一个人。 you're not going to go out of your way to make her your girlfriend. 你不会忘记让她成为你的女朋友。 Pirates look at your software the same way: "I want it if it's free but otherwise... meh..." 海盗以同样的方式看待你的软件：“我想要它，如果它是免费的，否则......我......”

You put all this work in to some half baked scheme wasting time you should be using to update your app and support paying users. 你把所有这些工作都放到了一半的烘焙计划中，浪费你应该用来更新你的应用并支持付费用户的时间。 All this effort to not be "stole" from. 所有这些努力都不会被“偷走”。 You know what I'm gonna do to crack that program (not literally me, just an example) I'm going to hex edit it or reverse engineer the code and remove your calls for authentication completely. 你知道我要做什么来破解那个程序（不是字面意思我，只是一个例子）我要对它进行十六进制编辑或反向工程代码并完全删除你的认证调用。 I might create an on phone service to authenticate and just hack your app to authenticate on a 127.0.0.0/8 loopback. 我可能会创建一个电话服务来进行身份验证，并且只是破解你的应用程序以在127.0.0.0/8环回上进行身份验证。

No matter how good the protection if it is meant to run in a multi user environment it's gonna be broken look at HD-DVD and Blu-ray. 无论保护多么好，如果要在多用户环境中运行，它都会被打破，看看HD-DVD和蓝光。 I was present at the on set of cracking those protections and they were very impressive and complicated but ultimately simple to break. 我出现在破坏这些保护措施的场合，他们非常令人印象深刻和复杂，但最终很容易打破。

THE IRONY OF IT IS DRM RESTRICTIONS ARE WHAT KEEP ME FROM BUYING MOVIES, GAMES & PROGRAMS. DRY限制是我购买电影，游戏和节目的重点。 SHARING IS CARING!!!! 共享是关怀!!!! more importantly it's FREE ADVERTISING!!!!!!!!!!! 更重要的是它是免费的广告!!!!!!!!!!!

I can't tell you the number of CD's Movie's Game's umm... Pr0nsites >,> whistles I've bought/spent money on as a result of piracy. 我不能告诉你CD的电影游戏的数量嗯... Pr0nsites>，> 口哨因为盗版我买了/花了钱。 If you make a great program and keep it updated people will buy it. 如果你制作了一个很棒的程序并且保持更新，人们会购买它。 If you try and keep it locked to a platform or specific device HAHAHAHA good luck with that ask swype how they are doing keeping their keyboard only released through OEMs. 如果您尝试将其锁定在平台或特定设备上HAHAHAHA祝您好运，请问他们如何保持键盘仅通过OEM发布。 Even with device manufacturer support, hardware emulation and debugging to crack it. 即使有设备制造商支持，硬件仿真和调试也要破解它。

I pirated an OS when I was 13 or 14 and had no money, same with a disc burning software. 我13岁或14岁时盗版了一个操作系统并没有钱，就像光盘刻录软件一样。 When I was 18 and built a new rig I bought both. 当我18岁并建造了一个新的钻机我买了两个。 I pirate some android apps and guess what I bought the ones I liked and the ones where the dev did updates. 我盗取了一些Android应用程序并猜测我买了哪些我喜欢的以及开发者更新的内容。

Your best anti piracy scheme is being a good dev and being responsive to your community. 您最好的反盗版计划是一个好的开发者，并对您的社区做出响应。 HERE'S YOUR BEST PROTECTION SCHEME!!! 这是您最好的保护计划！ Google now accepts in app payments sooo... make your app free with a donate for pro/purchase button in the app (More donations through the menu button). 谷歌现在接受应用程序付款sooo ...通过在应用程序中捐赠专业/购买按钮让您的应用免费（通过菜单按钮捐赠更多）。 Make sure you disclose it the description that it's in app purchase to avoid pissing people off and getting bad reviews. 请务必向其披露应用程序购买时的说明，以避免惹恼人们并收到不良评价。

Here is how it would work. 以下是它的工作原理。 The app is installed, they make an in app purchase the app uses the MAC address on bluetooth wifi or both to generate a device ID. 该应用程序已安装，他们在应用程序中购买应用程序使用蓝牙wifi或两者上的MAC地址生成设备ID。 Once the purchase is made a key string is generated stored encrypted in the device storage. 一旦购买，生成的密钥字符串被加密存储在设备存储器中。 On app restart it decrypts the string key checks it against the mac addresses to ensure it's on the same device. 在应用程序重新启动时，它会解密字符串键，将其与mac地址进行对比，以确保它位于同一设备上。 It should check with the server on any new install and see if the device is already registered and send the allow the device to generate the key string again. 它应该在任何新安装时检查服务器并查看设备是否已经注册并发送允许设备再次生成密钥字符串。

Email at purchase a key code to re-register, it should be a license key different than the string key so they can not use the string key to break the encryption and crack the scheme. 在购买时通过电子邮件重新注册密钥代码，它应该是不同于字符串密钥的许可证密钥，因此他们不能使用字符串密钥来破解加密并破解方案。

the key should just reference the device ID server side and allow replacement of that device with a new one for say the sake of an insurance replacement (or new device). 密钥应该只引用设备ID服务器端，并允许用新的设备替换该设备，例如保险更换（或新设备）。

You should just use the google app store drm though because if one of your customers moves to a new device they will be annoyed. 你应该只使用谷歌应用程序商店drm，因为如果你的一个客户移动到新设备，他们将会生气。

To make sure the app always works you should have a commitment to release a drm free product if development ever ceases. 为了确保应用程序始终有效，您应该承诺在开发停止时发布无drm产品。

Drm is just a pain and a hassle and the pirates remove the restrictions completely so when you look at being a paid customer with restrictions or free and easy what would you pick? Drm只是一种痛苦和麻烦，而且海盗完全取消了这些限制，所以当你看到有限制的付费客户或者自由轻松的时候你会选择什么？

If this was not completely clear sorry I typed it with three people talking loudly one of which was a three year old throwing toys at my face. 如果这不是完全清楚的抱歉我打了三个人大声说话，其中一个是三岁的孩子扔在我脸上。

THE END 结束

PS PS

https://market.android.com/details?id=com.noshufou.android.su.elite&feature=search_result This app does NOTHING at the moment it have INSTALLS: 10,000 - 50,000 purchases just to support the dev of other programs https://market.android.com/details?id=com.noshufou.android.su.elite&feature=search_result此应用程序暂时没有安装：10,000 - 50,000次购买只是为了支持其他程序的开发

If I really wanted to lock an app to a specific piece of hardware, I would use the IMEI (GSM) or MEID (CDMA) from the phone and assign them a unique cookie. 如果我真的想将应用程序锁定到特定硬件上，我会使用手机中的IMEI （GSM）或MEID （CDMA）并为其分配一个唯一的cookie。 You can use the permission Read Phone State to retrieve those numbers from the phone and send them to your server. 您可以使用权限“读取电话状态”从电话中检索这些号码并将其发送到您的服务器。 For the protection of your clients, I would send those only once and return a random cookie for them to use on further requests. 为了保护您的客户，我只会发送一次并返回一个随机cookie，供他们用于进一步的请求。 You can record the IMEI/MEID in a database as well as the associated cookie to ensure the same device always gets the same cookie. 您可以在数据库中记录IMEI / MEID以及相关的cookie，以确保相同的设备始终获得相同的cookie。 I would also use SSL for this initial transaction for the privacy of clients, but the cookie can then be sent in the clear if you want. 我还会为客户的隐私使用SSL进行此初始交易，但如果您愿意，可以在明文中发送cookie。 This will link their account to their phone. 这会将他们的帐户与他们的手机相关联。 I don't know if Android MP3 players, tablets, etc. have a similar serial number. 我不知道Android MP3播放器，平板电脑等是否有类似的序列号。 GSM phone also have a number called IMSI in addition to IMEI which is specific to the SIM card instead of the phone. 除了IMEI之外，GSM电话还有一个称为IMSI的号码，该号码专用于SIM卡而不是电话。 CDMA phones have no SIM card and only have the MEID. CDMA手机没有SIM卡，只有MEID。 Lastly, this cookie I speak of does not have to be a regular HTTP Cookie, it can just be part of the URL such as ?cookie=abcd123 or some string sent in-band what ever network protocol you decide to use. 最后，我所说的这个cookie不一定是常规的HTTP Cookie，它只能是URL的一部分，例如?cookie=abcd123或带内发送的一些字符串，你决定使用哪种网络协议。