How can I control the usage of a custom jar library?

I need a way to essentially secure my jar library to allow registered apps to use it in their projects and deny usage to apps that weren't approved by me.

It is fine if I hard code things in the lib for each distribution. I currently have this jar obfuscated.

What are good approaches to restrict the usage of a jar?

One idea was to lock the lib to a speci开发者_如何学Gofic package so if the developer tries to use it in another project they can't. But I'm not sure if they can easily provide a custom fake Context to make it work...

To me the best approach if you would like your library to stay standalone (without involving the network for checking or downloading pieces of the library, I mean) would be to make mandatory the use of an initializer class that would receive a token from the client application.

This would be crackable as the token validity test would be performed by your lib: one may modify the lib in a way is would just skip that test, but this would be made harder by the obfuscation. But this is probably sufficient, unless using your lib without having registered it is a really critical issue.

• So you would have something like:

  boolean Initializer.initLib(String passcode)  
  

That would prevent the lib to work unless passcode is correct.

You can make the obfuscation more efficient by avoiding checking that way:

public void initLib(String passcode) {
    if (passcode == A_GIVEN_PUBLIC_STATIC_THAT_STORESTHE_CODE) {
         // do the proper initializations 
    }
    else {
         throw new RuntimeException("Bad passcode, sorry!");
    }
}

But doing that way instead:

public void initLib(String passcode) {
    final char[] PASS_ENCRYPTED  = "f5uhjgf56ik8kv214d5".toCharArray();
    final char[] PASS_MINUSMASK  = "bc".toCharArray();
    final int    PASS_SHIFT      = 11;
    final int    PASS_MASK_MINUS = 2;

    for (int ctr = 0; ctr < PASS_MINUSMASK.length; ++ctr) {  
        final char next = PASS_ENCRYPTED[PASS_SHIFT + ctr - PASS_MASK_MINUS];

        if (passcode.charAt(ctr) != next - (PASS_MINUSMASK[ctr] - 'a')) {
            // make the lib unusable by some inits. But it should look as a proper initialization
            return;
        }
    }    

    // make the lib usable by some inits.
}

This looks stupid, but if you have a look at the obfuscated code, you will see a big difference. This code is just an example (it accepts "hi" as a valid passcode), any algorithm would be fine as long as its obfuscated version is not too straightforward to reverse.

• Now the question is: what passcode?

As the library's protection concerns the developpers of the client apps that will use it, and not the final users of these apps, you cannot rely on any piece of data specific to the devices on which the applications will run. So no IMEI or anything like that.

If these developpers are trustworthy that's fine. A fixed passcode is sufficient.

But if they are subject to give this passcode to other people to allow them using your library, this is more difficult. In this case I don't think you can solve it without a real "industrial" process such as registering the client apps and their code checksums, for example. Such a process needs a specific design and cannot be solved "just by the code", but as it also has a cost (time, resources, involvment of the client...) you can only consider this if the use of library is very critical.

Can't you make your jar call your server with a specific code and the application name, to check if they are registered ?

When you build an Android app with a jar, that jar is compiled into the app and becomes a part of it. You can't just copy the jar out of the package and use it elsewhere. Unless I'm not understanding the question, this shouldn't be an issue you need to worry about.