03-12-2009 02:46 PM - edited 03-17-2009 01:52 PM
The Dynamic Licensing mechanism is a commonly used mechanism within BlackBerry App World for developers to provide a license key for every single user based on unique user information such as the PIN or email address.
One of the challenges associated with using Dynamic Licensing is that users will be shown the license key upon purchase of an application and will then have to manually enter that license key into the application. In an effort to improve this experience, during installation of the application on the device, the App World client will load the license key in the CodeModuleGroup properties so an application can read it directly without having to prompt the user.
Your application should use the following line of code to access the license key in this scenario.
String key = CodeModuleGroup.load("My App").getProperty("RIM_APP_WORLD_LICENSE_KEY");
Of course, "My App" is the name of your application rather than the placeholder. Note by "name" I am referring to the name of your application as submitted to the App World Vendor Portal. Not the cod file name.
03-12-2009 03:09 PM
This is good new, mkirkup. I see everything is getting ironed out. So now, since I have the key entry in place, I can check this location for a key and if it's not there, I would still pop up the manual entry of the key in case the customer purchased the game elsewhere.
Also, I know customers can download the same application they purchased (through MyWorld) up to 3 times on a different device than the device they purchased it under..so if my license key was based off of the PIN number, then the key that is stored in this CodeModuleGroup wouldn't be valid, correct? Or would the re-download feature of MyWorld make a trip out to my URL to obtain another key even though the customer is not paying for it again?
I guess I am trying to say that we should still have a manual way of entering the key as a failover in case the key in the CodeModuleGroup is not there or incorrect.
03-12-2009 03:23 PM
I've got a related question, is there anything wrong with using the Device PIN as the licnese key? My application requires network connectivity, so I was planning on having it call home (the same web service thats invoked by the dynamic license key generator) to verify that this device PIN has been licensed. My dynamic license generator will return a meaningless key string that won't acutally be used by the app.
03-12-2009 03:26 PM
Also, we need to think about security. What is preventing someone from just POSTing to your key generating website with their PIN? Do you still have plans to give developers a list of IP addresses that come from your servers so we can restrict access based on them?
03-12-2009 03:31 PM
RLord321: I'm not terribly concerned about that issue; I'm willing to live with security through obscurity - i.e. putting a big dirty hash into my dynamic license generator url. If someone manages to reverse engineer it more power to them & if I find that revenue doesn't match activations I can:
1) quickly change the license generator url
2) look at the ip addresses that the non-paying requests came from and block them going forward.
Its definitely a good idea to log all ip's that invoke on your license generator service.
03-12-2009 03:41 PM
I do see your point. I, too, was thinking about going to my website to check to see if the PIN number is in a table or not but then I thought:
1) Do I really want my application to go to the internet each time the customer starts it up?
2) Do the customers want the application to go to the internet each time it starts up.
3) What if my website is down?
4) What if the customer doesn't have a signal?
For my applications (mainly games), I felt as though this didn't seem logical as it would add unwanted time for the user experience to check the site and come back. I'm sure there are apps that it would make sense to do this, but the majority of the applications I see on the blackberry do not. And I agree with you on storing the IP -- that's why I mentioned restricting the key generation based off of IP address of Blackberry's App World servers.
03-12-2009 04:01 PM
My (first) application requires a network connection so lack of signal isn't really an issue. I only preform the license check once per installation, once an app successfully authenticates itself with my website it stores a bit of meta-data on the device and its unlocked i.e. permenantly licensed. I figure doing license checks based upon the device PIN offers a superior user experience as they won't have to enter a key. The license check is one quick http request which usually completes in less than a second which is acceptable IMO. For non-network dependent apps I've been thinking about allowing the app to run for one week without authenticating/activating itself. Building a decent license service is a bit of work...and of course once you go with dynamic licensing your website/webservice better not go down or you risk loosing revenue
I'm starting to think that there might be a business to be had in providing this service to other app developers. eg you pay a small fee & I'll provide licensing code along with the supporting web services to authenticate your apps. I wonder if that violates any of the terms of service?
03-12-2009 04:51 PM
I think initially it probably makes sense to plan for manual entry with the only downside being that hopefully no one ever sees that screen. We will automatically re-generate new keys for users as part of MyWorld so that you don't need to worry about that aspect.
03-12-2009 05:04 PM
Another common question: What email address will your server receive when App World requests a dynamic license key?
Answer: It will correspond to the user's PayPal email address.