• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Payment with midlets.

 
Tonny Tssagovic
Ranch Hand
Posts: 226
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello guys,
I am thinking of a "pay-per-view" j2me app, where users have to pay each time they request/fetch some "valuable" data.
Is there a "best practices" or any standard way of doing this..
I don't have problems with integration with the back-end payment system (being operator, or any payement service provider), but was thinking more about my midlet-servlet communication..
How about security issues, assuming that the user pays a monthly fee, then how do you authenticate the user, assumming you don't have access to the operator's network, and ur servlet simply receives a request from the wap gateway IP adress, and have no way of knowing the number (anyway, gsm security really sucks, and you should not rely on it.. but maybe securing your assets should not be more expansive then their actual value)..
I was thinking about saving a big random number on the phone (rms) that the user gets the first time he logs in.. any other ideas? how about embeddind that number in the midlet and generate a jar dynamically for each number, before sending the user application link?
Any help will be very much appriciated.. Thanking in advance!
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can simply put an encrypted license key in the JAD file to identify each user. The user is required to send back the key everytime when they perform a "pay-per-view" operation. You can then associate the key with the user's registered credit card/paypal number and bill them monthly. This way, you do not need to generate a different JAR for each user. You can also put the key in the JAR manifest and protect it with digital signature in the JAD if you are sensitive about security.
But really, the easiest way is just to cut a deal with carrier and have them bill it for you. It saves a ton of trouble at your end. But carriers are hard to work with especially if you are a small shop ...
 
Tonny Tssagovic
Ranch Hand
Posts: 226
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply Michael
Well I though about putting a key in the jad, but this would be quite dangerous.. especially if they could some how read it and I think some mobile phones allow u to download / or even save your apps on a pc, so maybe one can change it according to his friends license, and if it he has unlimited access. Well in that case, he could also just get the jar as well, so maybe one should make an extra number that one saves using rms, and this number is only given once, from the server, once it identified the license of the user.
Anyway, do you guys have a clue about how to make sure none can download your application via the internet? I don�t want ppl to decompile my app! None of you guys needs to distribute his own app?
Please comment, give any ideas you might have
 
Michael Yuan
author
Ranch Hand
Posts: 1427
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Tonny Tssagovic:
Well I though about putting a key in the jad, but this would be quite dangerous.. especially if they could some how read it and I think some mobile phones allow u to download / or even save your apps on a pc, so maybe one can change it according to his friends license, and if it he has unlimited access.

Well, that is the problem for *all* shrink wrapped software that require license keys. But in your case, you control the server. You can always require each user to "activate" their key before they use and each key can be activated only once ...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic