App Security Loophole - How to stop users from sharing login info

I’m trying to figure out if there’s a way to add an additional layer of security to apps. I’ve built an app that has free content and VIP content that comes at an added cost. While playing with the app last night, a buddy and I figured out that if one VIP user chooses to share his app credentials (email address + pin code), the VIP user AND anyone else can access VIP content at the same time. Here’s how I have things set up and how we discovered the loophole in the system:

  1. Users purchases VIP access and email is added to “Whitelist Email” list for app
  2. VIP user attempts to log into the app and is automatically sent a unique pin code
  3. VIP user fetches pin code and is then granted access into the app
    VIP user then tells friends and family that they can have access too via his/her email
  4. VIP user shares email address to friend
  5. Friend attempts to log into the app, triggering another pin code to the VIP user email
  6. VIP user fetches the pin code and shares it with his/her friend
  7. Friend then enters pin code and is granted access into the app
  8. VIP user repeats same process with as many people as he/she wishes
  9. Now that friends and family have successfully logged in, they have access for life

There must be a way to stop this, right? I was thinking that if the app back end recognizes “User 1” logs in via a device or ip address and then “User 2” logs in simultaneously under the same email on a different device or ip address, perhaps the system could boot “User 1” off and only allow one device or ip address to be using the app at any given time.

Any thoughts on what I could do? This problem poses a legitimate threat to the profitability of my app. Any help is appreciated. Thanks!

Unfortunately, every app has this loophole — if users share their emails and passwords (and pins) with each other, we cannot tell whether the flesh-and-blood human logging in is the same as the person who originally paid for your service.

One option we’re considering is a feature that would only allow users to be logged in on a maximum number of devices (e.g. 1).

1 Like

How is this any different that Spotify or Netflix? People share credentials for those services the same way. Not condoning it, but I’m not sure there is a whole lot you can do. I personally don’t like sharing my account with others because they then have access to manipulate my own data in the app. I think if your app has enough value where everyone would want their own data kept private, then there shouldn’t be much of a problem. I don’t share my credentials for anything because I don’t want people abusing my account that I paid for.

1 Like

Could you have a value that gets generated in the app logins sheet since that is by device? And then do a relation of the email address and value? If somebody else tries signing in as that user on a different device it would generate a new sign in record

It is no different, but Hulu and Netflix both have a device limit. That drastically cuts down on social sharing of credentials. Just seeing if something similar can be done.

1 Like

This seems like the best solution. Credential sharing happens all the time with Hulu, Netflix, etc. I think you have to go into app building like this fully expecting that some people will unfortunately take advantage of credential sharing.

I’m not expecting a 100% lock down. But like Hulu and Netflix, a device limit per email address would be sooo awesome!

Thanks, David!

I currently have another software that I use the device limit to control how many can be logged in at the same time. I like the idea of that limitation being able to be set by developers as it may be different for one app over another.