How SmartLicence works

SmartLicence is a method for activating and reactivating applications on a phone or tablet using only a smart card. This is particularly useful when the phone or tablet has no network connectivity.

When prompted by the application, the user simply holds the smart card to the back of the device until they receive confirmation that the activation was successful. This takes between 0.9 and 2.5 seconds depending upon the capacity of the card and the phone’s hardware.

Application identification

To prevent a user from attempting to activate one software product with a licence for another product, the application and smart cards specify a Vendor ID and a Product ID which must match. The Vendor ID and the first Product ID is issued by Xewli when the you request access to SmartLicence. Additional Product IDs are available on request.

Activation and reactivations

SmartLicence supports two kinds of activations:

  • per-installation, in which for every activation, the number of licences remaining on the smart card is reduced by one; or
  • per-device, in which a unique identifier is used to recognise a previously activated device. Reactivations do not use another licence. This is dependent upon access to a reusable identifier.

A single SmartLicence can store upto 150 licences when used for per-device activations, and over 1000 for per-install applications.

Unique identifiers

During an activation, the software specifies a unique identifier which could be either:

  • the device serial number, which persists through a factory reset and can be used to support per-device licencing. On Android, only a device or profile owner app can access the device serial number;
  • the advertising ID, which would allow re-activation following an uninstall if the device has not been factory reset. However, this isn’t always available: the user can opt out; or
  • a randomly generated value such as a nonce, which only permits per-install based activations but prevents any possible replay attack.

The maximum length supported is 36 bytes, which is sufficient for a 32 character UUID (plus four “-” separators, encoded in UTF-8).

Google also provides guidance for selecting appropriate identifiers for your app based on your use case.

Verification

When a licence is issued by the smart card, it is digitally signed with a per-vendor private key. The application uses a bundled public key to verify the licence is issued by the right vendor, for the right application and for the right unique identifier.