AppCoins Protocol: Proof-of-Attention in Android

Image for post

TL;DR: A big challenge we aim to solve with AppCoins and the App Economy is to allow users to earn coins by paying attention to apps for a certain amount of time. This is also referred to as Proof-of-Attention (PoA). A big part of creating such a proof involves the smartphone environment and considering the majority of smartphones in the market run Android we have decided to focus in this platform.

Our Goals

AppCoins cryptocurrency is going to be developed using blockchain technology (which will bring reliability and transparency to the App Economy) but we still have to deal with challenges associated with the client-side specially when it comes to Proof-of-Attention (PoA).

While designing our solution for Android platform two main factors were taken into account: Reliability and Availability.

Reliability consists of avoiding fraud. Once a PoA is generated, the solution needs to have a high level of confidence that a user paid attention to an app installed from an app store. Availability consists of making sure that whenever a user pays attention to an installed app, the app store will recognize the event and will request the PoA once the requirements are met.

In order to leverage Reliability our first step was to research the Android SDK for APIs that could help us increase the confidence that the user is in fact paying attention to a specific application. In regards of Availability we had to make sure the app store would be running at the same time the app was running in order to be able to evaluate whether the requirements of PoA were met or not.

Availability

The app store process has to be running when user is paying attention to an application in order to request the Proof-of-Attention. Latest releases of Android (from Lollipop onwards) have been limiting the ability of applications’ processes to run while applications are in background. In our scenario the app store process could eventually be killed while not in foreground. In order to overcome that issue we can take advantage of the Binder to bind application and app store processes while application is in foreground which will ensure app store process is not killed by the Android OS.

Binder is a core component in Android architecture and its main goal is to simplify Inter-Process Communication (IPC). Binder is implicitly used whenever an application communicates with OS services or with other applications through Android Java API. The Binder framework will also provide information regarding the application process which will positively contribute to app store Proof-of-Attention reliability.

Reliability

Once the application and the app store processes are bound, app store will periodically verify whether the Application is in foreground and the user is actively interacting with the device. In order to certify user is paying attention to the application the following conditions should be met:

  • Application process must be bound to app store process.
  • The application must be in foreground.
  • Device screen must be on.
  • Device must not be locked.
  • The signature of the application must be verified on app store servers.

To assure application process is bound to app store, Binder and PackageManager APIs can be used. To verify whether application process is in foreground ActivityManager, UserStatsManager and PackageManager APIs can be used. To check whether device screen is on PowerManager and Display APIs can be used. Regarding the state of the lock screen KeyguardManager API can be used.

Every application has to be signed by the developer to be installed in an Android device. App stores have access to applications’ signatures and can validate whether they match with the signature on their servers. If signatures does not match application may be tempered. To obtain the application signature Binder and PackageManager APIs can be used.

Limitations

The proposed solution has some limitations regarding reliability — imposed by Android inherently insecure environment — and Android API availability — due to Android version fragmentation and app store permission level. The use of several different Android APIs can help hardening the solution against an attacker but it is not possible to assure full protection against fraud taking only the client side into account. In order to eliminate fraud AppCoins team will work on different security layers from client side to server side.

In Android some APIs are considered sensitive and require system-level permissions to access them. Usually system-level can only be granted to system applications (pre-installed on the device by manufacturers). Also some APIs are only available in certain versions of Android. The following table summarizes the APIs needed to generate the Proof-of-Attention and their availability:

UsageStatsManager requires a System-Level permission but PACKAGE_USAGE_STATS can also be obtained by a normal application if user explicitly enables it in Settings.

We can only have an implementation that fulfills all the requirements of PoA with a minimum Android version of Jelly Bean(16) and above. The Android version limitations are not relevant since according to Google statistics only 1.2% of the Android devices are not running version Jelly Bean (API 16) or above.

Also UsageStatsManager is necessary from Lollipop(21) onwards what will require app store application to be a system application or to ask the user to explicitly go to Settings and give the permission. Since in the App Economy the user will be rewarded by the attention given to applications it will be easy to convince him to manually provide the permission in case app store is not a system application.

How about the code?

As a result of our research a test application was implemented that uses the aforementioned APIs in order to assert user attention. The code can be found in AppCoins’ GitHub. AppCoins protocol is opened and external contributions are very welcomed, feel free to checkout the code and create a Pull Request.

About Aptoide

Aptoide was founded in 2011 and has its HQ in Europe and offices in Singapore and Shenzhen. With over 200 million users, 1 million apps and 4 billion downloads to date, Aptoide is a community based platform that reinvents the app discovery experience through a social environment, tailored recommendations and the opportunity for users to create and share their own playlist of favourite applications and games.

About AppCoins

AppCoins is a new cryptocurrency that all Aptoide users can earn and spend inside app stores. Once the protocol is implemented, AppCoins can be adopted by any app store, regardless of the operating system. The protocol creates a new shared ecosystem among all app stores, powered by the blockchain. AppCoins is to become the new universal language of the global app economy.

About the ICO

To raise funds for the new cryptocurrency venture, Aptoide launched an ICO (Initial Coin Offering) pre-sale on November 6th, 2017, opening up 20% of the total number of AppCoins to investors. During the pre-sale phase, members of the Aptoide community and other exclusive groups got the chance to buy the first AppCoins. Even though the first stage of the AppCoinsICO was a whitelisted pre-sale open to eligible investors in the Aptoidecommunity only, we managed to exceed all expectations and surpassed all pre-sale ICO goals, by raising a total of $1.8 Million USD, 3,539.99 ETH and 16,353,786 APPC tokens distributed, providing AppCoins the launchpad required to revolutionise the App Store Economy.

Originally published at medium.com on November 28, 2017.

Written by

The first ICO serving 200 million users to create a trusted economy without intermediaries. Supported by Aptoide App Store. Learn more: https://appcoins.io/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store