question

Zsolt Bertalan avatar image
Zsolt Bertalan asked

Lots of fun with DRM and GameCircle

I'm trying to submit an update to my app with the newly implemented GameCircle API, but Amazon keeps rejecting me. I received a log from them and the problem is that the API key can't be verified. As the app is working perfectly for me on all of my devices, I thought the DRM was the culprit. For earlier versions it was on (I know, stupid), but for this version I set it to "Apply: no". For my support request I got the following answer: "Thank you for writing in. If you would like to remove Amazon DRM for the app, please log in to your Developer Portal, App Submission process, Binary Files tab, and select No for "Apply Amazon DRM" option. However, please note that all applications must be digitally signed with a certificate. The default signature applied to your app is a certificate supplied by Amazon that is unique to your developer account." Now the first part made me cry, but after I dried up my tears I realized that the second part is even more interesting. After a little search I realized that Amazon really replaces my certificate without any further ado and they probably keep replacing it without DRM. Oh, really thank you. You just take a week of my life and made the future releases hard for me. Can I get the keystore? I have to use the same key to be able to update my app, right? Furthermore, I need the SHA1 fingerprint for the GameCircle API key (I can create this if I have the keystore). Also, I would like to note here that storing the API key in the app is a VERY BIG architecture failure, and if Amazon changes the certificate after submission, it is a deadly mistake. The app should work with any certificate I add to my account, just like on Google Game Play Services. Now, if I can't have the Amazon certificate and I build a version of my app for submission with the Amazon API key in it, then I can't test it, because i can't sign it with the given keystore. Not to mention the debug keystores (I work on two computers now). Crazy. So, the most important question: Can I get the keystore that Amazon uses to replace my release keystore?
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
Hi BeBe, Thank you for writing to us. I think your understanding is not correct. Amazon DRM is no where connected with the certificate what is used for signing your binary. Whether DRM is enabled or not, the binaries are signed with a certificate. Now the certificate could be provided by Amazon or you may enable your app so that you can use your own certificate. The default signature applied to your app is a certificate supplied by Amazon that is unique to your developer account. If you want your app to be signed with your own certificate, you have to raise a ContactUS ( https://developer.amazon.com/help/contactus.html) and we would enable that provision in your app for you. Now I can see that your app has been always signing with Amazon certificate (because you have not sent any request to us to enable the provision so that you can sign your build) from the first version you submitted. Please note the signature you use to sign your app before your submit the app, that is always replaced by the Amazon's one. You could submit an unsigned binary as well. So you do not have to worry that as you disabled the DRM in the latest submission, your signature is gone now for that reason. For game circle, you need to place the api key of the security profile of your app in the asset. The api key you add in the asset is always replaced by the key which is finally associated with the final signature used by Amazon to sign your apk. So you should not need the keystore we use to sign your build. You should always use the api key associated with your debug certificate to test GameCircle/ADM in your app and submit. The api key associated with the release certificate stays with the apk (is not replaced by us) when you make your app self signing (signing by you, not Amazon) enabled by raising ContactUs. Now I would encourage you to enable DRM in the next version since the purpose of DRM is provide security in your app to prevent hacking. Below is the overview of the Amazon DRM: ------------------------------------------------------------- Amazon will apply the DRM for you if you choose to apply DRM to the app you submit to the Amazon Mobile App Distribution Program. There is no dev work involved on your end if you choose to apply our DRM. You will see a check box for this option during your app submission process. Customers who purchase an app will retain an entitlement to their app even if they decide to replace their current Android device and/or purchase new devices, as long as the new devices meet the installation requirements of the app. This provides insurance to customers that their purchased apps will be available for use on all supported devices, even if the customer has uninstalled or otherwise removed those apps in the past. The digital locker service combined with a robust Digital Rights Management (DRM) solution not only make managing apps easier for customers, they also address one of the biggest concerns developers have: unauthorized copying and distribution. An authorized user can now install your app on any of their supported devices; however, if you chose to apply DRM on your app at submission time, your app will not run on unauthorized devices. Any app that has Amazon DRM applied to it will require users to have installed and signed-in to the Amazon Apps client to access the app. When an app is accessed by the user, it will verify with the Amazon Apps device service as to whether the user has an entitlement to the app. If the user does not sign in or does not have an entitlement to that app, then the app will not be usable. However, any user can gain an entitlement by purchasing the app through Amazon. For each app that you submit to the Distribution Program, you can choose to apply DRM or make your app available without any rights management constraints. If you do choose to apply DRM to one of your apps, you must use the DRM system provided by Amazon through the Distribution Portal. Once an app is installed, a user can use the app without having internet access. During the installation process for an app, the Amazon Apps client downloads a small token that grants the user the right to access the application. A valid token permits the user that purchased the app to access their app offline. The Amazon Apps client will periodically communicate with Amazon servers to refresh the token. Here is a link to the blog post we published on the Amazon DRM: http://www.amazonappstoredev.com/2011/03/amazon-appstore-digital-rights-management-simplifies-life-for-developers-and-customers.html
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Zsolt Bertalan avatar image
Zsolt Bertalan answered
Thank you for your answer. Meanwhile I also received an answer to my support ticket and that answered my questions. I managed to submit my app successfully. The problem was that it took me weeks to test the app and I forgot about the publishing misery: https://developer.amazon.com/sdk/gamecircle/documentation/submit.html I had to go to my security profile and connect it to my app one more time. I have to admit that your support is getting better, but your processes and APIs should be streamlined. And a note at publishing a GameCircle enabled app would be nice. Or even better do this automatically. And the certificate replacement should be also more transparent. And I still maintain that the API key shouldn't be stored in the app.
10 |5000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.