27
Jul
image

Android Pirates

Have you ever seen one of those annoying comments on the Android Market promising the riches and all the Android apps in the world for a low-low monthly price of $10? Sites like that pirate paid games and apps off the Market and then distribute them illegally, pocketing all the revenue. That's modern day warez at its finest.

Whether it was because of Android's openness or Google's notoriously poor focus on the Market, no DRM or licensing protection was available in the SDK for developers to utilize; so unless you rolled your own licensing scheme from within the app (which had a side effect of circumventing Google's payment system and therefore netted developers a whole lot more than 70% rev share), your app was easily "piratable".

Google DRM

Well, developers have had enough, and Google has eventually listened. An hour ago, Eric Chu from the Android team announced an official licensing service for Android applications.

image

The service will allow application developers to implement a license status check in their apps - an app would query the licensing server and get back a response stating whether it had been purchased through the Market or not.

This simple and free service provides a secure mechanism to manage access to all Android Market paid applications targeting Android 1.5 or higher.

At run time, with the inclusion of a set of libraries provided by us, your application can query the Android Market licensing server to determine the license status of your users.

It returns information on whether your users are authorized to use the app based on stored sales records.

What If Google (riiight) Or You (that's more like it) Are Offline?

Now, those of you who remember the Ubisoft Assassin's Creed DRM disaster can breathe a little easier - Google is well aware of the problems that can occur when you don't have a working connection or their servers are offline (which is unlikely but possible). This is why they will support both of these schemes:

  • a relaxed "chill out if you're offline" scheme
  • a strict "I need a connection every time you want to use the app" scheme

My guess is someone would need to either love getting 1-star reviews or be really-really paranoid to use the 2nd scheme, so most apps will stick to the safe first option.

To help you get started with a Policy, the LVL provides two fully complete Policy implementations that you can use without modification or adapt to your needs:

  • ServerManagedPolicy is a flexible Policy that uses settings provided by the licensing server to manage response caching and access to the application while the device is offline (such as when the user is on on an airplane). For most applications, the use of ServerManagedPolicy is highly recommended.
  • StrictPolicy is a restrictive Policy that does not cache any response data and allows the application access only when the server returns a licensed response.

A Few More Bits

Here are some points to keep in mind as you implement licensing in your application:

  • Only paid applications published through Market can use the service.
  • An application can use the service only if the Android Market client is installed on its host device and the device is running Android 1.5 (API level 3) or higher.
  • To complete a license check, the licensing server must be accessible over the network. You can implement license caching behaviors to manage access when there is no network connectivity.
  • The security of your application's licensing controls ultimately relies on the design of your implementation itself. The service provides the building blocks that let you securely check licensing, but the actual enforcement and handling of the license are factors in your control. By following the best practices in this document, you can help ensure that your implementation will be secure.
  • Adding licensing to an application does not affect the way the application functions when run on a device that does not offer Android Market.
  • Licensing is currently for paid apps only, since free apps are considered licensed for all users. If your application is already published as free, you won't be able to upload a new version that uses licensing.

Conclusion

Today's announcement is a solid step to reducing Android app piracy. Google has listened to developers' concerns and stepped it up. A more serious Market, happier, more confident (and properly paid) developers = better apps and games for all of us.

Now, devs, don't screw this up like Ubisoft did - we know where that 1-star button lives.

Sources: Google Android blog, Google's Licensing Guide

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • Kane

    Nice writeup.

    I hope this stops those spam comments - they're very annoying.

  • Alex

    The Market needs *a lot* of love, this a good step in the right direction

  • ari-free

    Nevermind the comments. We want more devs to be comfortable so that they can be interested in developing for Android in the first place.

  • Jerry Chong

    Wait, did no one see this sentence at all?
    "A copy-protected application cannot be downloaded from Market to a device that provides root access."

    • http://www.AndroidPolice.com Artem Russakovskii

      I just read the relevant part and you are confusing the new Licensing Service with a previous copy protection (whatever that is/was).

      Replacement for copy protection

      Android Market Licensing is a flexible, secure mechanism for controlling access to your applications. It effectively replaces the copy-protection mechanism and gives you wider distribution potential for your applications.

      * A limitation of copy protection is that applications using it can be installed only on compatible devices that provide a secure internal storage environment. For example, a copy-protected application cannot be downloaded from Market to a device that provides root access, and the application cannot be installed to a device's SD card.

      • Jerry Chong

        Ah, you're right - That should teach me for reading RSS feeds in the morning without coffee.

  • http://martinarguello.net Martín Argüello

    While the first licensing scheme seems like the most apropiate for most situations, i find the second scheme to be that paranoid.

    Maybe some app could implement this StrictPolicy scheme and provide the user with (lets say) three days of "free" usage until is required to activate online (which is not that bad even if you cant use a data plan because wifi internet access is pretty much everywhere). Maybe useful for apps that rely on a content distribution model?