detecting app clone on android

[dport 0]

With applications such as DualSpace available on Playstore, an application on the phone can be cloned and run as a completely different copy. Even if distinctive features such as androidId, FCM (Firebase Cloud Messaging) ID, MAC serial are used for device recognition, the cloned application can bypass the identification system by producing completely different IDs.
Is there a way to tell if the app is a clone? Options such as PackageName control and Installation path control are suggested on the internet, but when I check as follows, the cloned application gets the PakageName like the original and shows the same installation path.
  showmessage(JStringToString(SharedActivityContext.getPackageName));
  showmessage(JStringToString(TAndroidHelper.Context.getPackageCodePath));
Therefore, both of these methods do not work when detecting the cloned application.
Another way is to check whether the application is running on the virtual machine, but I couldn't find how to check it.
Is there a successful method in Delphi to detect a cloned application?

[dport 0]

There is a solution that checks whether the cloning applications are installed on the phone, but it is not very applicable since there are hundreds of programs that do this job (it will also be necessary to introduce the programs that will be added later).

function IsAppInstalled(const APackageName: string): Boolean;
var
  LIntent: JIntent;
  LList: JList;
  LApplicationInfo: JApplicationInfo;
  I: Integer;
begin
  Result := False;
  LIntent := TJIntent.JavaClass.init(TJIntent.JavaClass.ACTION_MAIN);
  LIntent.addCategory(TJIntent.JavaClass.CATEGORY_LAUNCHER);
  LIntent.setFlags(TJIntent.JavaClass.FLAG_ACTIVITY_NEW_TASK or TJIntent.JavaClass.FLAG_ACTIVITY_RESET_TASK_IF_NEEDED);
  LList := TAndroidHelper.Context.getPackageManager.queryIntentActivities(LIntent, 0);
  for I := 0 to LList.size - 1 do
  begin
    LApplicationInfo := TJResolveInfo.Wrap(JObjectToID(LList.get(I))).activityInfo.applicationInfo;
    if (LApplicationInfo.flags and TJApplicationInfo.JavaClass.FLAG_SYSTEM) = 0 then
    begin
      if APackageName = JStringToString(LApplicationInfo.packageName) then
         exit(true);
    end;
  end;
end;

(Must be given query all packages permission to run)

[Fr0sT.Brutal 897]

Why would you need that? Just let the user install your app as it wants to. I'd throw away any app that would do such dirty things leaving 1-star review at market.

[Dave Nottage 493]

On 11/23/2023 at 9:11 PM, dport said:

Is there a successful method in Delphi to detect a cloned application?

If there's a way to do it in Java or Kotlin, there's usually a way to do it in Delphi. Do you have any links discussing why this is a problem, and potential solutions?

[dport 0]

On 12/28/2023 at 11:24 AM, Fr0sT.Brutal said:

Why would you need that? Just let the user install your app as it wants to. I'd throw away any app that would do such dirty things leaving 1-star review at market.

 

On 12/28/2023 at 12:55 PM, Dave Nottage said:

If there's a way to do it in Java or Kotlin, there's usually a way to do it in Delphi. Do you have any links discussing why this is a problem, and potential solutions?

There are reasons such as preventing the user from opening more than one account and cheating in online games, and preventing punished players from logging in from parallel accounts and continuing to cause problems. We generally use device-specific serial numbers to prevent these situations. In the past, IMEI and MAC serial numbers could be used, but since this information is no longer provided, we provide this control by using different Unique IDs specific to the device. However, since the software that clones the device also clones these UniqueIDs, it is perceived as logging in from a completely different device. For this reason, if the application has been run through cloning, we want to prevent it from running.

[Dave Nottage 493]

1 hour ago, dport said:

For this reason, if the application has been run through cloning, we want to prevent it from running.

 

I have a repo containing some ChatGPT "conversations" which might be of interest, and have just added this one:

 

https://github.com/DelphiWorlds/HowTo/blob/main/ChatGPTConversations/DetectClonedApp.md

 

The Delphi code is my conversion of the Java code. As per the warning here, always verify anything coming from ChatGPT, or me, for that matter 🙂

[dport 0]

On 1/5/2024 at 6:56 AM, Dave Nottage said:

 

I have a repo containing some ChatGPT "conversations" which might be of interest, and have just added this one:

 

https://github.com/DelphiWorlds/HowTo/blob/main/ChatGPTConversations/DetectClonedApp.md

 

The Delphi code is my conversion of the Java code. As per the warning here, always verify anything coming from ChatGPT, or me, for that matter 🙂

 

Thank you for your answer. Unfortunately, when run from within the dualspace application, the getInstallerPackageName method always returns com.android.vending. Normally, when debugging the application, this value returns nil because it is not installed from Playstore. However, when you run your application compiled in debug mode from dualspace, this value returns as com.android.vending. Cloning apps manipulate all the parameters offered by the Android system to prevent cloning detection.

 

var
  LInstallerPackage: JString;
begin
  LInstallerPackage := TAndroidHelper.Context.getPackageManager.getInstallerPackageName(TAndroidHelper.Context.getPackageName);
  showmessage(JStringToString(LInstallerPackage));//always return com.android.vending in cloning application

end;