02-03-2010 09:29 AM
I need help to get an idea or information about vendor verification.
this is the case:
I (vendor A) have an application that already signed and deployed to a BlackBerry Device.
The users for my application, download it from website X.
My friend (vendor B), create the same application, sign with his keys (different from my keys),
and publish to website Y.
How the user of my application know that he/she installed an application from vendor A?
Is there any information or hash key that differ an application are from vendor A or vendor B?
if there is no information to verify the original vendor of an application,
how can I implement a verification system?
something like an https verification, but the system must be unique and other vendor can't duplicate it.
thank you for your information.
02-03-2010 10:01 AM
if another company uses your name: sue them.
other than that, you can use signatures to verify. we use AES for licensing purposes, but it can as well be used for authentication.
02-03-2010 10:39 AM
Thank Simon for your suggestion.
I need to create an application that user (end user) can verify that my application is verified from my company.
I can use online/offline verification method,
but I don't have any idea how to show the verification result to the user..
anything that I can do to show the verification result, it can be duplicated by other vendor.
i hope the idea is only a software,
so the user is no need to bring a token (hardware).
02-03-2010 10:52 AM
if you don't mind doing an online verification you can create a https service with http basic auth that just returns "OK" or somesuch.
obfuscate your code for the login/password (e.g.: dont use a variable String login="user" but select different parts of vectors, arrays, constants and so on to build up the login)
but if somebody spends enough time decompiling your code and reproducing it, that will not help. your only chance then is to store different things about the device on a server and validate that.
however, if somebody does decompile your code he'll remove all those checks anyway. not much you can do against it :/
02-03-2010 10:55 AM
do you know something about signing, private/public keys and encryption?
if you sign a software with your private key everybody can check this with your public key, but nobody else is able to produce this signature.
02-03-2010 12:18 PM
02-03-2010 12:25 PM
02-03-2010 12:37 PM
DOH, absolutely did not think of puplic/private keys
arv: you could generate a footprint of your application and encrypt it with your public key and then call a rest service via the BB browser that prints "valid" or "not valid"
02-25-2010 03:42 AM
In my situation, I have an application with vendor name V1 and version 1.0, but the same application with version 2.0 have vendor name V2.
As I know, according MIDP 2.0 specification, for successfully upgrade vendor names MUST BE identical.
So, can I upgrade the first application with replacing it by second??
Thank you and sorry for my poor English.