I have created an app for surveys where only one user can register per android phone. I am using "Secure.ANDROID_ID" for identifying unique devices on server side.
Now the problem is a lot of scammers are creating many fake accounts through fake mobile numbers and clone applications where the device id changes and earning a lot of rewards by completing surveys. I have handled some clone maker apps which can clone an app by changing package name but there are still some apps like "Multi parallel, Dual space app" which clones application and does not change package name or signature.
What i want is to somehow detect if the application is cloned and does not let the user use that app. Please guide me if there is any way to detect the clones..
OR is there any other way to identify unique devices on server side instead of using ANDROID_ID.
ANDROID_ID remains the same only until you reset the phone to factory, so it is not usable as UNIQUE_ID because it doesn't survives hard resets. You have to implement some Accounting based on email+confirmation_address of the ones you can found in Android --> Accounts page, in this way the user should add a valid Email Account (of which he has right credentials). Additionally you can register the user by sending Device Info as Manufacturer and/or ModelName to be sure an email account is not shared across many devices.