[SDK] Promocodes for your app

[diverofdark]

Hello!

I'm software developer from Russia, and made one very popular app in local market. Very soon I realized that I need an ability to give licensed version of app for my friends or reviewers or someone else.

Unfortunately AppHub doesn't provide such functionality(private distribution is pain in ass), so I created a webservice for myself.

After two days I realized that it may be useful for other developers, so here it is:
promo.g33k.ru (here I wanted to post url, but I can't due to low post count. You may find it in my profile->interests)

Now it has:
- JSON/SDK with RSA1024/SHA1 sign for additional security checks
- Binary SDK available
- Russian localization(if anyone cares ) (btw, if you can help translating to other language(s) or correct english misspellings - i will appreciate this).

Now this service works in beta mode.


So for developers I have two questions:
1) Is such service useful for you?
2) How to develop it further, in which way?

 

[rbrunner7]

Not yet clear

I am sorry, but after reading your post and also checking your website I am still not sure what you offer. For me there is just not enough information to understand and then judge the usefulness of your service.

Maybe you could give a step-by-step scenario: Dev does this, then interested user does that, dev then this ...

 

[diverofdark]

Ok, I'll try to describe a little more details:

1) Developer wants to add capability of promo codes in his app(to give some specific users full licensed app).
The first problem is that developer need his own server for checking of promo code validity(hardcoding is not an option, of course).

2) So, Developer registers in my service, add his app's guid to his app list and create a promo code for specific app via web.

3) Developer adds support for promo codes in his app by:
a) adding an text box for user to enter promode
b) adding a web request to specific URL for promocode activation
c) adding to his license check web request for checking is current user activated a promo code.

Benefits for developer:
- Add support for promo codes without owning a server.
- Simple way to give full version of program to friends

Benefits for users:
- User may found promo code for specific app somewhere and use it to get full version of app in simple manner.

Benefits for reviewers/portals:
- Developers can easily give promo code for reviewing purpose or as giveaway for news post.

 

[rbrunner7]

Clear now

Thanks for the additional info, now it's clear

Well yes, sounds useful. Properly implemented is probably really easier than Microsoft's "closed beta" mechanism, and of course can be used for other, non-beta apps as well.

The icing on the cake would be a "frame application" as sample code that basically does nothing more than asking for a promo code and then check against the list of valid codes on your server.

 

[chabun]

Sounds intresting but how do you ensure security?

 

[diverofdark]

chabun, I thought about security and situation is same as with default checking for trial - there is no security Man-in-the-Middle and direct cracking of xap will work, and there is no way out. I could use RSA signing for MitM, but still cracking of xap is very easy option today, so no one really interested will try to use MitM. When WP8 SDK will be out(I believe it will be in several weeks) - some developers may implement trial checks in native code - this will be much harder to crack.

As for server part there are following possible problems
- App's ID squatting(same as domain, someone else could reserve developer's app's guid). Don't know yet what to do with this, may be think about it later when this happens?
- Promocode's for App ID bruteforce - could be easily avoided via server throttling, if this ever happens - i'll add such checks
- Server DDoS - every webmaster's nightmare, I hope this never happens(or my Amazon AWS will pour my purse empty


rbrunner7, nice idea, I'll add a sample app as soon as possible on site.

 

[snickler]

This looks like an interesting concept

Sent from my SGH-i917 using XDA Windows Phone 7 App

 

[chabun]

Yop, you can never avoid direct cracking... However, RSA signing would be good I'd say as it will avoid MitM - with MitM you could create simple tools which can be used by every noob outhere. Cracking xaps requires some skill and it will need an unlocked WP7 as well.

 

[Marvin_S]

I can see this working i have been thinking about something similar also. You can encrypt the data on device before sending it off to the cloud, you can than verify the encrypted data with a password and compare it to the codes registered on the server. Than link a code to a certain device id (once the code becomes 'registered') if a certain code is already coupled to a deice id and the device is not the same than the app will jump back into trial mode. Otherwise one can use the paid mode.

This can defenetly work and will prevent reselling th codes. Although it requires a server. And users can still hack/patch the app ofcourse but that will require an unlocked device so I should not worry to much about it.

Also to prevent spoofing you can frequently check with the server if this device is legitetmately registered.

 

[chabun]

I can see this working i have been thinking about something similar also. You can encrypt the data on device before sending it off to the cloud, you can than verify the encrypted data with a password and compare it to the codes registered on the server. Than link a code to a certain device id (once the code becomes 'registered') if a certain code is already coupled to a deice id and the device is not the same than the app will jump back into trial mode. Otherwise one can use the paid mode.

This can defenetly work and will prevent reselling th codes. Although it requires a server. And users can still hack/patch the app ofcourse but that will require an unlocked device so I should not worry to much about it.

Also to prevent spoofing you can frequently check with the server if this device is legitetmately registered.

That's what I thought of... private/public key

 

[diverofdark]

chabun, so, for example, how about following scenario:

for each developer server creates public/private key pair.

when checking license on server: if success server encodes userid with developer private key
when checking license in app: server response decoding via public key(hardcoded in app) and comparing to userId. if ok -> licensed.

 

[wpxbox]

You might want to ask @ngreader guys on twitter. They do have this concept implemented in their app.

 

[chabun]

chabun, so, for example, how about following scenario:

for each developer server creates public/private key pair.

when checking license on server: if success server encodes userid with developer private key
when checking license in app: server response decoding via public key(hardcoded in app) and comparing to userId. if ok -> licensed.

I'm not sure if it would be good to encode the request to the server as well but otherwise it sounds really cool now... I'll use this service when I need this (and tell my friends about it)

 

[wpxbox]

Here is one way to do it http://stackoverflow.com/questions/599837/how-to-generate-and-validate-a-software-license-key

 

[chabun]

Here is one way to do it http://stackoverflow.com/questions/599837/how-to-generate-and-validate-a-software-license-key

Well, what they suggest is not as good as diverofdark's service which is a lot more secure and still easy to use for the customers...

 

[diverofdark]

Greetings everyone!

Today I updated promo.g33k.ru, now it has:
- more detailed about page,
- SDK now includes RSA1024/SHA1 sign for additional security checks
- Binary SDK available
- Russian localization(if anyone cares ) (btw, if you can help translating to other language(s) or correct english misspellings - i will appreciate this).
- Many minor bugfixes.

So, from now this service works in beta mode

 

[snickler]

Greetings everyone!

Today I updated promo.g33k.ru, now it has:
- more detailed about page,
- SDK now includes RSA1024/SHA1 sign for additional security checks
- Binary SDK available
- Russian localization(if anyone cares ) (btw, if you can help translating to other language(s) or correct english misspellings - i will appreciate this).
- Many minor bugfixes.

So, from now this service works in beta mode

Thanks! I will check this out

 

[chabun]

Hey diverofdark
It would be nice if you update the first post in the thread with all information. That's the way it's usually done in the forum.

A possible user (here dev ) can read it and without having to browse the whole thread, he can use your promocode service...

 

[diverofdark]

Thanks for mentioning it, I updated the first post.