Google Play unlicensed response when app is bought

Question

My Android app implements LVL, and checks for a valid license when started. I'm using a ServerManagedPolicy. Whenever I use a test account, or when the app is bought from the Play store, the unlicensed response is given, and my users are getting quite annoyed.

The relevant code:

final Random r = new SecureRandom();
    byte[] SALT = new byte[20];
    r.nextBytes(SALT);

    lkey = "MyGooglePlayKey(hidden)";

    android_id = Settings.Secure.getString(getApplicationContext().getContentResolver(), Settings.Secure.ANDROID_ID);

    mLicenseCheckerCallback = new MyLicenseCheckerCallback();
    mChecker = new LicenseChecker(
            this, new ServerManagedPolicy(this,
            new AESObfuscator(SALT, getPackageName(), android_id)), lkey);

Is this an issue with Settings.Secure.getString(getApplicationContext().getContentResolver(), Settings.Secure.ANDROID_ID)? Naturally, the licensing Android docs give no help at all on how to get the device ID, and using a different method requires another permission. My method causes Android Studio to say "Using getString to get device identifiers is not recommended".

Because of the very old Lollipop bug, my LicenseChecker class had to be changed to use an explicit intent:

if (mService == null) {
            Log.i(TAG, "Binding to licensing service.");
            try {
                Intent serviceIntent = new Intent(new String(Base64.decode("Y29tLmFuZHJvaWQudmVuZGluZy5saWNlbnNpbmcuSUxpY2Vuc2luZ1NlcnZpY2U=")))
                        .setPackage("com.android.vending");

                boolean bindResult = mContext.bindService(serviceIntent,
                        this, // ServiceConnection.
                        Context.BIND_AUTO_CREATE);

My LVL library uses the same targetSDK/compile/minSDK as my app:

android {
compileSdkVersion 26
buildToolsVersion "26.0.1"
useLibrary 'org.apache.http.legacy'

defaultConfig {
    minSdkVersion 17
    targetSdkVersion 26
}

buildTypes {
    release {
        minifyEnabled false
        proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.txt'
    }
}

dependencies {
    compile group: 'org.apache.httpcomponents' , name: 'httpclient-android' , version: '4.3.5.1'
}

Due to the NamePairValue and URLEncodedUtils methods being deprecated, I had to use these Apache substitutes.

Answer 1

I am not an expert on this, but I think the salt is only random insofar as it's random for your app. You do not generate it on the fly. See documentation.

To use AESObfuscator, first import it to your Activity. Declare a private static final array to hold the salt bytes and initialize it to 20 randomly generated bytes.

...
// Generate 20 random bytes, and put them here.
private static final byte[] SALT = new byte[] {
 -46, 65, 30, -128, -103, -57, 74, -64, 51, 88, -95,
 -45, 77, -117, -36, -113, -11, 32, -64, 89
 };
...