Our client's kiosk app had a simple licensing requirement: each customer gets a license key, each key activates one device, and that device stays licensed for a certain time period.
Sounds straightforward. But there were some hard constraints:
- Devices only connect to the internet once, at activation time.
- Licenses are paid, so a license key must be restricted to a single device.
- The app has to enforce time-limited use, even without network access.
- We cannot expect users to play fair.
- The app is distributed directly, not via Google Play.
Standard HTTPS-based API calls don’t solve this. We needed protections that would operate above the transport layer.
Here’s how we approached it.
(more…)
