Introduction
More and more mobile applications are based on time to work. Many games works with waiting time longer or shorter depending on user actions, payments, transport, client management applications have a business model based on accurate timing information.
Remember that time is money
In game to reduce waiting time between stages it’s possible to pay.
How validate something, like discount ticket with wrong date and time ?
How manage client loyalty with wrong subscription date ?
I will try to respond to this question, how synchronized time can be secured on Android devices ?
Problems
Actually, on a mobile device, the time is not considered as a critical service thus users can change it easily. On the Android platform, date and time can be modified/updated with 3 different ways:
- If the android platform, is connected to a mobile network, this network provided time to Android.
- Otherwise Android receive NTP notifications from Google server.
- Manually the user can change the date and the time of his device.
The third way is the major problem of Android time based application because the JAVA API provided by Android can’t allow applications to know the time sync with network provider or Google NTP without user modifications.
Solutions
Simple but not secure
The first approach we can made is to save the date and time value when the application start and watch each modifications of system date.
ut the user can stop an application and modify the date/time manually; if the application is stop we can’t detect user’s modifications.
The better one
The other solution is to synchronized date and time with a server and used the SystemClock class in the Java API.
This class provided some methods to manage system date.
The most important method for us is elapsedRealtime; this method provided the number of milliseconds since the Android platform boot and it was based on clock ticks and not on the system date thus user date/time modifications haven’t any impacts on the returned value.
Sample class to use the second solution:
Usage of SecureDate class
Conclusion
Actually, to secure date and time on Android we need a connection to a server on each first launch of an application to get the real current date and avoid manuals user modifications.