• What Is License Verification
• How To Remove License Verification Of Android Apps

Remove licenses you're not using to help reduce your Office 365 bill, and reassign a license when someone new joins your organization. Sign in to the admin center. Select Billing Subscriptions. Remove the license you don't need by changing the number of licenses available.

When verifying that the user has purchased or downloaded a legitimate copy ofyour app from the Google Play Store, it's best to perform the licenseverification check on a server that you control.

This guide presents a step-by-step process for completing server-side licenseverification and presents some best practices related to performing this check.

Process overview

Figure 1 shows how information is transferred between your app, Google Play, andyour private server:

1. Your app makes a request to Google Play, inquiring about whether a particularuser has purchased or downloaded a legitimate copy of your app.
2. Google Play responds by sending a response data object, an object of typeResponseData, toyour app. This object is a signed piece of information that states whether theuser has purchased or downloaded a legitimate copy of your app.
3. Your app makes a request to a private server that you control, verifying thecontents of the response data.
4. The server responds by sending a status to your app, indicating whether theuser has indeed purchased or downloaded a legitimate copy of your app. If theserver provides a 'success' message, verify theresponse and then grant the user access to theresources that require a license.

Because the response data is signed by Google Play, then checked on yourserver, there's no way to modify the object on the device running your app. Ifyour app relies on the server and makes resources available only to legitimateusers, your app is substantially more protected against unauthorized users.

The following sections provide additional considerations to keep in mind whenperforming server-side license verification.

Safeguard against replay attacks

After receiving a response from Google Play regarding the user's license status,it's possible for the user to copy the response data and use it multiple times,or give it to other users who could then forge their own requests to your app'sprivate server. This sort of action is known as a replay attack.

What Is License Verification

To reduce the likelihood of users performing replay attacks successfully, takethe following measures before sending a request to your app's server:

• Check the timestamp that's included in the response data, making sure thatGoogle Play generated the response recently.

  Note: You can increase the allowed difference between the response data'stimestamp and the current time based on how long users should be able tointeract with license-bound resources after they deactivate their license.

• Perform rate-limiting on your server request, such as exponential backoff, toreduce the number of times that your app attempts to send the same response datato your app's server.

  Caution: To preserve a good user experience in cases where a user interactswith your app on a variety of devices, be careful if you add rate-limitingbased on number of devices.

• Before verifying the contents of Google Play's response data on your privateserver, make an initial, authentication-based request to your private server. Inthis first request, send user credentials to your server, and have your serverthen respond with a nonce, or a number that is used only once. You can theninclude this nonce in your next request to your private server, asking forlicense verification data. For details on how to choose a good value for thenonce, see the generate a suitable nonce value section.

  Note: Include a user ID field in both the nonce request and the licenseverification request. Your app's server can then compare the fields' valuesfrom the two requests and make sure they match.

Generate a suitable nonce value

Use one of the following techniques to create a nonce value that's difficult toguess:

• Generate a hash value based on the user's ID.
• Generate a random value on a per-user basis. Store this random value on yourapp's server as part of a given user's attributes.

Verify response data from your server

When reviewing response data that your app's server sends to your app, make surethat the License Verification Library response isn't forged. Verify thesignature that's included in the app server's response data by comparing itwith the key that your app received from Google Play in a previous step.

How To Remove License Verification Of Android Apps

It's also worth remembering that the block specific to the License VerificationLibrary (LVL) is the only part that's signed. Therefore, it's the only part ofyour app server's response data that your app should trust.