Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Java Development

Reply
Developer
Developer
Posts: 122
Registered: ‎08-11-2008
My Device: 9700
My Carrier: XL

how the user can verify an application is valid from my vendor?

 

Hi All,

I need help to get an idea or information about vendor verification.

 

this is the case:

 

I (vendor A) have an application that already signed and deployed to a BlackBerry Device.

The users for my application, download it from website X.

 

My friend (vendor B), create the same application, sign with his keys (different from my keys),

and publish to website Y.

 

How the user of my application know that he/she installed an application from vendor A?

Is there any information or hash key that differ an application are from vendor A or vendor B?

 

if there is no information to verify the original vendor of an application,

how can I implement a verification system?

something like an https verification, but the system must be unique and other vendor can't duplicate it.

 

thank you for your information.

 

 

--
"Give kudos (star) if you feel response is helpful"
Developer
Posts: 16,932
Registered: ‎07-29-2008
My Device: Z10 LE, Z30, Passport
My Carrier: O2 Germany

Re: how the user can verify an application is valid from my vendor?

if another company uses your name: sue them.

 

other than that, you can use signatures to verify. we use AES for licensing purposes, but it can as well be used for authentication.

----------------------------------------------------------
feel free to press the like button on the right side to thank the user that helped you.
please mark posts as solved if you found a solution.
@SimonHain on twitter
Developer
Developer
Posts: 122
Registered: ‎08-11-2008
My Device: 9700
My Carrier: XL

Re: how the user can verify an application is valid from my vendor?

 

Thank Simon for your suggestion.

 

I need to create an application that user (end user) can verify that my application is verified from my company.

 

I can use online/offline verification method,

but I don't have any idea how to show the verification result to the user..

 

anything that I can do to show the verification result, it can be duplicated by other vendor.

 

i hope the idea is only a software,

so the user is no need to bring a token (hardware).

 

thank you.

--
"Give kudos (star) if you feel response is helpful"
Developer
Posts: 67
Registered: ‎10-14-2009
My Device: Not Specified

Re: how the user can verify an application is valid from my vendor?

if you don't mind doing an online verification you can create a https service with http basic auth that just returns "OK" or somesuch.

 

obfuscate your code for the login/password (e.g.: dont use a variable String login="user" but select different parts of vectors, arrays, constants and so on to build up the login)

 

but if somebody spends enough time decompiling your code and reproducing it, that will not help. your only chance then is to store different things about the device on a server and validate that.

 

however, if somebody does decompile your code he'll remove all those checks anyway. not much you can do against it :/

-------------
blog: http://coding.westreicher.org
twitter: http://www.twitter.com/meredrica
Developer
Posts: 16,932
Registered: ‎07-29-2008
My Device: Z10 LE, Z30, Passport
My Carrier: O2 Germany

Re: how the user can verify an application is valid from my vendor?

do you know something about signing, private/public keys and encryption?

if you sign a software with your private key everybody can check this with your public key, but nobody else is able to produce this signature.

----------------------------------------------------------
feel free to press the like button on the right side to thank the user that helped you.
please mark posts as solved if you found a solution.
@SimonHain on twitter
Developer
Developer
Posts: 122
Registered: ‎08-11-2008
My Device: 9700
My Carrier: XL

Re: how the user can verify an application is valid from my vendor?

Thank you Simon, Yes, I knew about private n public keys pair, signature, and encryption. Currently I'm looking for its implementation examples. How the user can verify my application signature? Is it using other app or by the app itself? The app that doing verification should be legitimate, right?
--
"Give kudos (star) if you feel response is helpful"
Developer
Developer
Posts: 122
Registered: ‎08-11-2008
My Device: 9700
My Carrier: XL

Re: how the user can verify an application is valid from my vendor?

Thank you fwest, I think this is not about verifying the user, but it's about the user verify the application. I don't know how to show the "validated" text, so the user know that the apparently is valid, but the other vendor can't show the same thing on their apps.
--
"Give kudos (star) if you feel response is helpful"
Developer
Posts: 67
Registered: ‎10-14-2009
My Device: Not Specified

Re: how the user can verify an application is valid from my vendor?

DOH, absolutely did not think of puplic/private keys

 

arv: you  could generate a footprint of your application and encrypt it with your public key and then call a rest service via the BB browser that prints "valid" or "not valid"

-------------
blog: http://coding.westreicher.org
twitter: http://www.twitter.com/meredrica
Regular Visitor
Posts: 1
Registered: ‎02-25-2010
My Device: Storm
My Carrier: Developer

Re: how the user can verify an application is valid from my vendor?

Hi All,

In my situation, I have an application with vendor name V1 and version 1.0, but the same application with version 2.0 have vendor name V2.

 

As I know, according MIDP 2.0 specification, for successfully upgrade vendor names MUST BE identical.

So, can I upgrade the first application with replacing it by second??

 

Thank you and sorry for my  poor English.