23
Aug
Last Updated: June 5th, 2012

[Update: 8/24/10 @ 7:45 PM EST by Aaron] Tim Bray responded to Justin's article, but seems to have misunderstood the goal. Thus, Justin has written a follow-up article here.

Preface

This article was not written to teach people how to pirate or ridicule Google's Android License Verification Library (LVL) that handles communication with Google's Android Market Licensing Service.

I am very much against piracy, and very much pro-Google. I have spent more time researching copy protection for my applications than development of the applications themselves.

I would like to thank:

  • the author of Star Hunt for allowing me to use his application in my demo video
  • the author of Tasker for allowing me to use his application, which has the best implementation of LVL I found, in this article

Both of these applications are available in the market - I highly suggest you give them a try. Support your developers, and pay for your apps.

Introduction

Since I started doing Android development, I have looked at many licensing options, from simple forward locking (/data/app-private), which was a complete failure, to KeyesLab's AAL which I really liked, to a custom one I was privy to, written by my friend Colin O'Dell. I even went as far as writing two different ones myself.

By far the best looking, and nicest option I have seen is Google's own Android Licensing Service. However, even Goliath can fall to a pebble.

A few days ago, after asking the AndroidPolice editors to write an article on piracy, I found a problem with Google's Android License Verification Library. A minor patch to an application employing this official, Google-recommended protection system will render it completely worthless.

Implications

Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution. By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts.

Demo

Watch this demonstration video of my patch method tricking both the protected version of the game StarHunt and the Google LVL demo app into thinking they have been purchased legitimately:

I am providing an unpatched app based on Google's sample, compiled with my public key, and a patched version. The unpatched version will fail validation, because you have no license for it. The patched version will always pass validation, no matter what the case

No demos of other patched apps will be provided publicly out of respect for their developers.

Breaking The Library (aka The Technical Mumbo Jumbo)

A little back-story on Java, which most Android applications are written in. Java applications are compiled into bytecode, that runs on top of a Virtual Machine, generally independent of platform. Due to the need for cross compatibility, the bytecode is fairly readable. Many software suites exist to decompile/disassemble it, making it an easy target for reverse engineering.

For Android, the main disassembly suite is smali/baksmali. The bytecode output from baksmali can be edited in any text editor, and reassembled using smali.

"smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)"

Because the License Verification Library is not part of the Android OS (i.e. it doesn't ship with phones - it's an optional SDK download), an app developer needs to package it with the app that uses it, making it an easier patch target, without requiring root access.

image

The first step in reproducing this is to dissemble the apk using baksmali and find the LicenseValidator class. In custom implementations and pro-guarded apps like Tasker, this filename will differ, and so will the code, but not enough to stop a pirate from patching it.

When disassembling the basic implementation of the licensing service, you will find this file out/com/android/vending/licensing/LicenseValidator.smali. This class responds back to the application, telling it the results of the verification attempt. Opening this file in a text editor will show you the bytecode, and at the beginning you will see these constants:

.field private static final ERROR_CONTACTING_SERVER:I = 0x101
.field private static final ERROR_INVALID_PACKAGE_NAME:I = 0x102
.field private static final ERROR_NON_MATCHING_UID:I = 0x103
.field private static final ERROR_NOT_MARKET_MANAGED:I = 0x3
.field private static final ERROR_OVER_QUOTA:I = 0x5
.field private static final ERROR_SERVER_FAILURE:I = 0x4
.field private static final LICENSED:I = 0x0
.field private static final LICENSED_OLD_KEY:I = 0x2
.field private static final NOT_LICENSED:I = 0x1

This code itself is unimportant, and may not show up in custom implementations, but it will help you understand the next step.

Scrolling to the bottom of LicenseValidator.smali, you will see this block of code in the “verify” method:

.sparse-switch
0x0 -> :sswitch_d3
0x1 -> :sswitch_de
0x2 -> :sswitch_d3
0x3 -> :sswitch_11d
0x4 -> :sswitch_f3
0x5 -> :sswitch_101
0x101 -> :sswitch_e5
0x102 -> :sswitch_10f
0x103 -> :sswitch_116
.end sparse-switch

This is a switch block, which essentially tells the licensing library what to do next, depending on the results of the verification query. Each possible result is “mapped” to a different function.

Notice how the values on the left correspond to the constants at the beginning of the file. 0X0 and 0x3 are both positive results, which will tell the application that your device has a valid license. The others are various forms of negative results, and depending on how the application is coded, will result in different things.

The important one here is 0x1, or NOT_LICENSED. By changing “0x1 -> :sswitch_de ” to “0x1 -> :sswitch_d3” we basically point it to a positive outcome instead, so the library tells your app the license is actually valid.

The final step is to reassemble with smali, placing the new dex file in the apk, and re-sign it with any valid key (even test-keys).

Even though the library knows the status is NOT_LICENSED, the described tweak ensures the application will receive a LICENSED result instead and believe that it is, in fact, licensed. This method is so simple, even a novice programmer could write a script to automatically patch most apps.

Conclusion

The current situation with piracy in our community is out of control, and only set to get worse as the platform grows. Sites like the recently taken down AndroidPlayground are profiting from the hard work of our developers, and stifling future development.

For now, Google's Licensing Service is still, in my opinion, the best option for copy protection; however, we really need to see a better solution, such as checking the apk for alterations or ways to confirm an application was installed through official means.

I will continue to investigate copy protection methods on Android, and will hopefully have an update soon. I will possibly be releasing an add-on class for LVL soon, to help protect against out of market installs and unauthorized modifications of apps.

It goes without saying but comments from Google and app developers are very welcome.

Justin Case
Justin Case is a 30yr old father of four. He has an ever changing array of Android devices, and an eye for mobile security.
  • James

    I've been wondering if Android's NDK might hold the solution to this. Decompiling a native library would prove a lot more difficult, so why not build the licensing functionality into that? Would that work?

    • AntiPirate

      As long as someone can come along and edit the Java bytecode, there's still the opportunity to not invoke LVL in the first place, or remap how the result of the call to native code is handled, as discussed above.

  • Vg2

    what about those of us living in countries not fortunate enough to be chosen by Google to have access to the paid apps, yet they gladly sell android phones here, charging full price essentially for a phone that can't live up to its full potential as there are no paid apps?

    I would pay for the apps gladly if i could! Theres literally no option to do so!

    • Justin Case

      Alternative markets exist that do just that, you should have no problem finding many apps for sale outside the google market, and if you don't just contact the publisher.

      • Rori

        Lot of apps are not on alternative market... And contacting publisher does not help it. I still do not understand why I should be banned from buying apps??

      • b

        Are you serious? Or you must be a developer or working for the telcos.

        • Kane

          Who are you talking to?

    • James

      I sympathize with you that Market is not available in your country, but why does that matter when it comes to trying to prevent piracy? It's like driving to a neighboring country to steal a brand of beer that's not available in your country. Then the store puts in security measures to try to prevent all the recent thefts and you complain "hey, what about countries that don't offer this beer?"

      • cde

        Because you arn't prevent from purchasing it as long as you are in that country, which is near impossible to do for an app. Even if you drive to a country with paid market apps, your phone won't automatically convert to that country.

        • Maxi

          If its not for sale, stealing it is still theft.

  • http://gbizapps.com Gunter

    Thanks for this info. I suspected that it would be easy to defeat this license checking. I thought about ways to protect my paid apps but found no solution to make sure that the apps work only when signed with my own key. I think this is a disadvantage of open source that you must live with and hope that enough users will be honest.

    • http://www.AndroidPolice.com Artem Russakovskii

      Hopefully, Justin will release his library that makes this much harder to circumvent soon.

  • http://www.twitter.com/colinodell Colin O’Dell

    There will NEVER be a foolproof anti-piracy method. The problem here is that Dalvik bytecode can be disassembled easily, allowing you to find and patch things as if you had the source. You can compile native binaries, build protection into the Android core, etc but there will ALWAYS be a way to circumvent it.

    Props to jcase for find this vulnerability and informing the community!

    • James

      Sure there will always be a way given enough skill and time. The question really is: Will someone with that level of ability spend several hours to crack a 2 dollar app? If we make the protection sophisticated enough, I think we'll essentially "price" the crackers out, making it not worth their time.

      • Justin Case

        I agree with both of you, impossible to completely stop, but we can make it too much of a pita to do.

      • http://none cyber_l33ch

        I'm with Colin on this one..As long as one guy has nothing but time on his hands, he will eventually break it. Once that's done, you'll see an app that does it with one click in matter of seconds. One click rooting?

        • Justin Case

          I actually created a one click as part of my research. I have no intent of releasing it, at all, ever.

  • http://none cyber_l33ch

    @Justin Case
    I'm sure there's other people as clever as you that will release it.

    • Justin Case

      Won't take any cleverness to make nor release it. Its really simple.

  • Jonas

    I too made a script around apktool to disable LVL for arbitrary apk right after it was released. It's really simple, just as stated. Manually disabling it is also easier than this article shows. There is no need to analyze or change switch statements ever, but I don't know how wise it is to post details that makes writing a generic patcher easier...

    The solution for apps not selling enough is simple: open up the market for all countries! If people are allowed to pay they will. In Sweden we root or import German SIMs just to support developers (i always do!). Make it easy for us and piracy will go down and revenue up. Bugging Google about this is important for developers living in a supported country as well.

  • Mark

    Wouldn't it be better to change all the constants to 0x0? It's easier to change the constants than to mess with the switch later, and changing all the constants keeps the app running even if you get an error message back from the license server.

    • Justin Case

      In obfuscated and customized versions of LVL, this method is easier.

    • Jonas

      If you mean the ".field private static final..." that won't work. Those fields aren't used in the directly in the produced binary. Their declared value are used to construct the switch clause in this case. If you have

      ...
      case NOT_LICENSED:
      ...

      in java this is translated to the
      0x0 -> :sswitch...

      found in the disassebly at compile time. Changing the value in the declaration later won't help since the static variable itself isn't referenced, it's already been replaced with the value (0).

      • Justin Case

        Thank you. They are stripped out of proguarded apps as well.

  • http://shiftyfrog.com Matt

    Doesn't Google address this in the section of the documentation by recommending "Obfuscating Your Application"?

    • Jonas

      To some degree yes, but it's not enough.
      Even when mangles in ProGuard the licensing library code is easily found automatically. Since you compile the licensing library into your own code you can make some changes to it to make it harder to find when obfuscated though.
      The key point is that since the code has to interface with the Market app some public recognizable stuff has to be left in. Given how the library interfaces with the Market app it's possible to write a "one click" generic patcher that begins with finding these "markers" in the code.

    • Justin Case

      It works fine against obfuscated apps, it doesnt help.

  • http://www.aaandroid.com aaandroid

    It's funny how you say you're against piracy and then write a manual for pirates. It goes without saying that you can write whatever you'd like but you can't have it both ways. This is not a "report" but a manual. You didn't need to actually show everyone how to do it. Your article could have accomplished the same goal without having actually showed people how to do it. Why make it even easier for pirates? The one-click method is kind of obvious after this.

    • Justin Case

      Sorry you feel that way, but I follow full disclosure. If I simply posted "yeah it could be done" people would of ignored it, and developers would not take proper action.

      • http://www.aaandroid.com/ aaandroid

        Please. Spare me. You could have easily proved that it could be done without having actually showed people how to do it with a step by step manual. I'm not saying that it couldn't have been easily figured out but to actually publish detailed instructions was done to get hits on your web site and nothing else. You could have left off some specifics and still proved your point. But like I said, you are 100% in the right to publish whatever you please. But this was done for web site traffic.

        And to those saying that this is what happens when you develop for an open-source platform, Apple developers have even less protection because a jailbroken phone can get access to all apps for free. Nothing is perfect.

        • Justin Case

          My site nor products are in the article, and I received no compensation. Hit count to a site that does not feed my family does not concern me.

        • James

          Jailbreaking an iPhone is an extra step though and many users won't take that extra step, especially because it voids your warranty. I wouldn't say that iPhone developers have "less protection" I would say they have more. I would also say that this is a big reason the iPhone App Store is able to attract more professional apps.

        • http://www.aaandroid.com/ aaandroid

          Personally, I don't really care that this was posted. I'm shocked it took this long. I never bothered to add the protection to my apps anyway because I was sure that it would be broken and didn't want to waste the time implementing it. Piracy isn't going anywhere. Those who wish to steal $1 from me (actually, a mere 70 cents after Google's cut) will do it anyway. Those who pay will pay. I still fight with the pirates because I can. For the record, it took me less than 5 minutes to remove the protection. Of course, I already own all my apps because I have respect for other people's property.

    • http://twitter.com/tokyomonster Chris Dehghanpoor

      If we hadn't published this, there would be less awareness of the method, and thus less incentive for Google to quickly repair the issue.

      Now that the cat's out of the bag, Google will want to fix ASAP to save face.

    • AntiPirate

      This workaround is so trivial that it would have been in use by pirates in no time anyway. App developers should not be lulled into a false sense of "security" where there is little actual security. For example, the developer of Task Manager has been using a "roll your own" verification mechanism for some time. It would be foolish of him to give that up for LVL given what Justin Case has shown us.

  • Nobody

    I appreciate the indepth technical article. Sadly piracy of this nature, especially patching around DRM is prevalent on every platform.

    Fo shame pirates. The $2 app is not going to bankrupt you. If it is, you probably shouldn't have purchased that $600 phone on credit dumbass.

    • James

      Seriously. And it blows my mind how someone would spend hundreds of dollars worth of labor time to crack a $2 app. How about this: come work for us improving the app for a few days and I'll give you 200 free copies to distribute as you see fit. That would never happen though because it's not as cool and fun to build as it is to tear apart.

      Kinda makes you want to develop for a proprietary, locked up platform, doesn't it?

      • justwally

        On a distributed network (Internet) it is trivial to find enough people with enough skill and enough time on their hands and a big enough chip on their shoulders to do these things free-of-charge for you so you can make money. People VOLUNTEER (yes, do it for free) just to be a part of poking the The Man with sharpened sticks.

        Add the economic model of scale, sold advertising, selling additional products services (that may or may not ever be delivered) and $2 per app and you can make a fair amount of money in short, short order. Over and over and over again, and massively parallel.

        I'm shocked that you didn't qualify your comment with this pedestrian knowledge before posting.

    • http://www.excloo.com/ Max

      As a teenager with no credit card and no access to one, it's not that we don't want to pay, it's that we can't.

      • justwally

        Puhleeze, show some initiative: PayPal

  • Milind Rao

    It's too bad that people will pirate $2 apps. But those that will, will do it anyway.

    And because it's so damn easy to circumvent piracy, I absolutely will do everything possible to either avoid apps requiring activation or circumvent them if unavoidable. I have experienced nothing but grief with activated apps.

    Apart from Windows 7 I purchase no apps that requires activation. I dumped Stardock (who have the worst activation ever), Dumped Photoshop after ver 7. Never bought Lightroom for the same reason.

    The unassailable fact is that this does nothing to curb piracy and punishes paying customers if things go wrong. If I can't connect to the server for any reason and the app is poorly coded to handle that or for any other reason, the app stops working because of a false positive at an inopportune time, the person who has paid money and is treated like a potential criminal that suffers. After this happened to me 3 times for various reasons, I have sworn off them. Meanwhile the person who has pirated the software doesn't face this problem at all.

    I wish there was some way to prevent piracy without impacting paying customers, but there isn't. The developer ends up spending valuable time writing/fixing problems with preventing piracy rather than improving the app. Better to sell enough (by increasing the number of markets etc.) that piracy losses, while always unfair, would not impact too much on earnings. We are not yet there. But may get there.

    I have been using Android for 2.5 years and have not purchased a single app from the Market. But I have spent about $50-$75 on various ROMs and apps that are not on the market or are donation ware. I'm mostly in India and travel frequently to the US. There are ways around accessing paid apps and it's a pain to get upgrades (a combination of AppBrain and MarketEnabler works).

    • http://c.vanfleteren.net Christophe Vanfleteren

      "Apart from Windows 7 I purchase no apps that requires activation. I dumped Stardock (who have the worst activation ever), Dumped Photoshop after ver 7. Never bought Lightroom for the same reason. "

      I get the sentiment, but Lightroom doesn't need activation. You just buy a serial, enter it and you're done.

    • Symbian

      Exactly.
      You almost said it all.
      Ill just add a minor thing.
      For me (and i am sure that for almost every single being on this tiny planet) the price of the Apps from 0.50€ to 5€ is acceptable depending on the dificulty of the programming or type of app (if it's intented to be a comercial purpose).
      I would pay if the app is GOOD and CLEAN!!!
      (Sorry i'm pissed; i bought an Android Device and i am so unhappy with these issues. I am going to return it back to the shop and buy other phone with Windows Mobile or Symbian Phone)
      I don't pirate; but i kinda praise to pirates; and in a way let them war with this app system.
      Why? For one simple reason; PRIVACY.
      I don't know about you (users) but i like to keep MY Stuff TO MYSELF.
      And by eating all the Adds; and by giving contraditory permissions to some entreprise/government/someone i don't know; it's quite a incentive to pirate any app or OS; and furtherwards to start a war.
      Really; that's not the way to do things.
      Someone should create a petition or sew the ones behind this crap.

  • AntiPirate

    Really unimpressive work, Google. Just how much effort was put into developing LVL, that such a trivial workaround can be implemented? Don't they have a security expert or two on staff to vet this? Granted, app verification is not an easy problem given the open nature of Android, but LVL seems like something a first-semester college freshman engineered.

    I imagine a stronger solution will evolve towards cryptographic signing of apps using a private key on Google's side to ensure bytecode hasn't been twiddled. However, as long as unsigned apps can be run, stripping down signed paid apps into unsigned pirated versions with LVL "defused" in this manner seems to remain a possibility.

    It looks like it is up to some third party to provide a solution where Google has failed. The upside is that whoever succeeds can probably score a nice piece of app sales.

    • James

      Seriously. What Google did here is basically like implementing a web site sign in with client side JavaScript that has the code:

      if(signedIn) { allowAccessToEverything(); }

      then trusting people not to change the signedIn variable. Google needs to make a serious effort here if they're serious about protecting app publishers

    • Jonas

      You are right partly right with "as long as unsigned apps can be run, stripping down signed paid apps into unsigned pirated versions with LVL “defused” in this manner seems to remain a possibility".

      Android doesn't run unsigned apps however. It's just that apps can be signed by anyone, not necessarily by Google (think iDevice, must be signed by Apple). That's the reason one can patch an app and resign it with a self signed key. Google/Market client could perhaps detect that an app is signed by a key different than the original one. If this is implemented, crackers will just change the package name used in the application manifest so Market doesn't recognize the cracked app as the same one being offered in the Market. In this case the cracked app will just look like any legit app not in Market (think Swype beta for example).

      The ONLY thing that can increase developer revenue is opening up Market in more countries so more people can pay. Trust me, many want to pay but are not allowed to because of Googles rules.

      DRM is never the solution.

      • AntiPirate

        You are right. Excuse my unfamiliarity with some of Android's details. Let me revise my earlier comment to say:

        "However, as long as anyone can sign an app for execution under Android, taking a properly unsigned app, knocking out LVL, and resigning the "defused" app seems to remain a possibility."

        On the other hand, I will respectfully disagree on DRM being a reasonable answer. If you want some kind of assurance that most running instances of your paid app have actually been paid for, I have little faith in people not pirating apps. It's nice that in-app advertising sorta works out for some folks, but you have to admit that Google is a bit self-interested in getting people towards an advertising-based, rather than paid app-based, ecosystem, and not all of us are interested in going there (at least for every app).

        Of course, it doesn't help that Google royally borked things up by not having paid apps available in more countries (especially in Asia - Galaxy S alone has sold 800K units in South Korea, but there's no paid app support?!?! - Just how do you think all of these users are going to handle the situation?), and that they lack transparency on how they plan to handle it in the future.

  • kdogg

    Not that I'm condoning piracy either but I noticed you mentioned that AndroidPlayground was taken down recently.

    It's back up, same old host name, new hosting company. It's just like torrent sites, shut one down, they move it to another host/country. Not much you can do about it really. If an apps is good, I generally buy it though. Want my money? Publish good apps.

  • another one

    Hey Justin, out of curiousity. What do you do for a living? You live in the states?

    • Justin Case

      I live on the isle of oot and sell cotton candy from a street cart. Our hold economy is based on IRC and cotton candy.

      I do what pays the bills at that time, the answer would change depending what you asked. Today I was scrapping lead, the last few days I was writing an app on contract.

      • slut girl #643

        can i suck your massive epeen?

  • another one

    If you don't mind what type ofapp

  • ken

    egads...how about just using the public key to sign the APK and just verifying that the signature is valid before allowing it to run? :-P

    • Justin Case

      Easy circumvented as well.

    • James

      Something in that vein (verifying apps in the OS before launching) would be simple but effective. Of course someone will argue that root access throws that all out the window, but it's still a big improvement. Then we go from there. When I hear people bring up the rooting issue I always think it's like saying "combination locks don't work, what if someone has bolt cutters?"

  • another1

    Do know there are more than just this one LOOP hole. There are several and I stopped looking after the 1st 5.

    I use this "Hack" for personal use. More of a testing playground.

    On another note: A game I just thought to crack for the heck of it, is well secure.

    LVL plus numerous DRM's. To much to deal with as you would have to re-write to much. I just bought it instead...lol.. Maybe devs should look into multiple security measures as it would make it not worth it to crack.

    Also Justin Not COOL to release this info. You know Google takes Months if not close to a year to fix this issue as just like others. How long did we wait for the LVL??? You just messed it up. Everyone was keeping it quiet until you blew the whistle. Some things need to be left un said.

    "You messed it up for the Devs" Some are probably crying in a corner with a bottle of Booz butt naked cause you just took their means of living out of their hands.(sarcasm)

    How about if you find the next hack keep it to yourself and just report it on the Bug tracker.... Idiot....

    Oh androidplayground/apppool is up so you know. Looks like they are hosted by PRQ. doubt they will EVER shut them down unless you have a Swedish court order. They are the same guys who host wikileaks.org and who hosted thepiratebay until the Pirate Party started hosting them out the govt front door lol... Good luck on that one.

    Everyone else who kept this leak to themselves. Party on!

    -AnotherOne

  • cynent

    There's really no good way to protect anything invincibly, you always will have to say "that's good enough" at some point. I've cracked this sort of protection before, it takes little more than a few minutes to find this in an obfuscated application and patch it out. On the other hand, there's little point in going beyond this for copy protection: there's not much Google or anyone else can do, copy protection will always fail when you control the machine the software is running on. If you want your app to be uncrackable, make it server side.

  • http://www.excloo.com/ Max

    Is it actually possible to use apps protected with Google's System offline?
    That's always been a reason that I don't support DRM...

  • Moontech

    Hy i am using licencing in my application but i am reading this comment and knows its not 100% secure for application.

    So Please any one suggest me what type of change done in my licencing policy so my application became secure.i am not using copy protection in my application. thanks in advance.

  • Developer

    Fuck you guys for figuring out how to keep stealing apps.
    As a frustrated Android developer seeing so little money coming from my apps for such a lot of work I put into them, I cannot fuck you enough for your efforts, and dropped that 'anti-piracy' shit please, be honest.
    The only thing that piracy on Android is gonna bring is: more crappy free apps (with shit load of ads), less decent apps, and almost zero good quality well developed, and cool (killer) apps.
    Fuck you people that don't want to pay for apps, cheap bastards!

    • Justin Case

      If you really are a developer, you would be able to see that this article is pretty simple and any moron (ie me) with a little programming background could of figured it out.

      You also apparently don't know jack about me, or my "crusade" against piracy, or the fact that I have been developing several tools just to stop this sort of thing.

      Just last night I started publicly seeking beta testers for a tool that stops (retards is probably a better word) disassembly of an APK, and conversion of dex to classes.

      In other words, you sir are a Jackass.

      • mwildstallyn

        Justin, where is the tool that can stop disassembling the APK?

        • jcase

          on /home/justin/android/projects/ AKA Its not publicly available yet.

        • mwildstallyn

          How about this -

          get the license from the market place and pass it to the app server which can then validate the license?

  • ag269

    Why must you publish the entire instructions, you A**!

  • http://www.moorhenapps.com Ray Britton

    Am I missing something here or couldn't you just rename, reorder, and revalue the constants and change the switch to a series of functions and ifs? So that once decompiled, it looks completely different?

  • http://nil Sage

    i just tried this.. (to see if works). didnt work on the package i tried. extracted, decompiled, edited the validator as above. re-compiled, signed, zipped.

    Wouldnt install. Just said application failed to install.

    Tried a all-in-one batch file to do the same. this time install by ABD. installed though the app just crashes as soon as its launched.

    Might have just been the app it tried. Must have had further checks.

  • Alex

    Hey, just stumbled across your post because I was googling about android drm out of curiosity. I'm diametrically opposed to DRM, because it's a blunt statement of disrespect from the developer to the user. I stick to open source software when possible, and will buy non-DRM'd closed source software if I can't find a better solution.
    It's cool that you work on breaking DRM as well as making it, though. I can respect that.
    Still, I hope you see the light soon... DRM is not the solution, and you'll never make a scheme that actually works. The line "I have spent more time researching copy protection for my applications than development of the applications themselves" makes me think that, if all you want to do is maximize your profits, you would be better served simply writing more apps :P

  • Drungo

    The final compiled apk "Failed to install with an error code of Failure [INSTALL_FAILED_DEXOPT]"

    What can have gone wrong?

  • samit

    how the hell do u use this i installed the patch into my mobile but it says DO NOT ALLOW USER ACCESS ! you said it will work no matter what:S

    I HAVE NOT GOT A GOOGLE ACCOUNT SET UP TO THE PHONE IS THAT WHY IT DOESNT WORK OR IS THERE ANOTHER ISSUE

  • samit

    I HAVE GOT IT WORKING NOW BUT WHAT ISIT EXACTLY I CAN DO CAN I DOWNLOAD ANYTHING OF ANDROID MARKET IF I DO WILL IT CHARGE ME ?

  • A Big Android Dev

    Seriously like what the hell, you should be banned from the internet, I am a big android dev, and I will now never make software for the android again. I will not release our next game on the platform, instead it will only be for Iphone and I will be publicly announcing that it is all your fault, to all of our fans on android. This Case closed!

  • samit

    banned from the net ok den ! LOL calm down man wat the hell i was confused bout all this and what it was about announce what you want i dont care ur talking as if people no me LOLz

  • A Big Android Dev

    Like I said this case is closed.

  • Andrew

    Woo someone has pissed off an android dev lol found this funny but i do kinda see his point though =/

  • Justin Case

    If a developer is going to leave android due to my work, then they should leave, they are not wanted nor needed.

    A decent developer, if seriously worried about piracy, would not leave it on google's back to protect his/her IP interests.

    Every platform has its own piracy issue, or will soon.

    To anyone looking to use this for piracy, why don't you go to iphone as well? You are not wanted either. Pay for your apps, support developers families.

  • Peter

    Any good ideas on defending an app , i was thinking about making the app not work after 2 weeks , via a built in timer , and telling the user they need to update to the latest version of the software?

  • Mike

    Hey Justin you need to get google to listen to you, you should try ringing them or something. Piracy is a really bad thing, and if we dont stop it on the android platform, then we will just end up like the pc gaming industry, dead and unsupported.

  • Justin Case

    Google responded, with great advice. The problem is not Google's, its the developers'. Piracy can not be stopped, no matter the application, no matter the platform, it is impossible.
    A good developer can delay the piracy, or make it not worth the pirates' effots, but even a great developer can not stop it.
    To developers:
    I have a working anti-patching scheme, and a working anti-decompiling scheme, both seem to work great. One detects alterations to the dex file, and one prevents (for now) disassembly/de- compilation of your app.
    If you are a serious developer, with a potentially popular/profitable app give me a shout.

    • dev

      Hi Justin, I need to check out your anti patching and anti decompiling schemes. I am about to release an app, but already got hacked twice during beta. Please respond soon.

  • Dan

    Hi Justin , Do you happen to know how to stop the issue with Payment Declined Buyer Contacted. Happens a lot with our USA customers and we are loosing over 40% of profit. tried contacting google and they just ignore us completely. please help us if you can our company is dieing because of this issue. we are in the UK btw which might be the cause of the problem.

    maybe you will be the great hero that saves our small company from going under =].

  • Justin Case

    If payment is declined, they shouldn't be getting the app.

    I am not sure what to tell you. I don't get anywhere near 40%, maybe 1%

  • David

    We have the same issues as well , along thousands of other devs. This issue is actually one of the reasons why people torrent apps in the first place. Justin if you can solve this you would be a legend amoung meny devs that are loosing loads of money to google's silly checkout system. Our company looses about 1200+ dollers a month to this issue.

  • Dan

    I think the issue is to do with the fact our app is from the uk, hence being in GBP. when a USA customers buys our app it would be in GBP to the bank, this causes the bank to flag it as fraud =[. Google seems to have no say on this and the issue has been around since 09. It mainly effects devs from outside the USA. Maybe you could pass this onto google? they are more likely to listen to you.

  • Justin Case

    It sounds like people need to update their credit card info to me. I have three android devices with three different google checkouts. Maybe purchased 100 apps between the three, never one denied.

    Can both of you email me at justin androidpolice.com ? Lets see if we can get a hold of some market people.

  • Justin Case

    Interesting, would be nice to know which banks were doing this.

  • Justin Case

    Guys shoot me email so I can contact you when I have time.

  • GST

    I am not able to do it on an emulator.Is it not possible to do it on emulator.I am getting message DO NOT ALLOW USER ACCESS even for patched apk.
    Can you help me ?

  • http://www.inconnu.us Jonathan

    My main problem with market verification is it requires a connection to the market to use the application. When you no longer have access to the market, like when on a plane, your application becomes useless.

    I have over $180 worth of paid apps for android, and do not pirate. IMO with all the private info on your cell phone, its stupid to even consider pirating especially when android apps are no more then $20, with most under $5.

    With that said, this is once again a situation where legitimate paid customers get screwed in the name of copy protection. What good are my applications if I can only use them when i have a cell or wi-fi connection? Especially android applications used on a tablet w/o a cell connection? Most of the games I play on my phone are when I am flying because I just don't have the time otherwise. Most of the games I have bought from the android market now require market verification every damn time the application launches. These do not work when the phone is in airplane mode and thus are useless while I am flying. Nice.

    I hope the pirates win because its you the developers own fault. You drive people like me, the paid user who supports your work away. Why pay for an app that I can't use do to some stupid licensing restriction when I can get it free and then use it anytime I want? Hell I would pay a pirate for the app which allows me to use it anytime I want before I pay a developer again for a restricted app that requires an internet connection before it loads.

    I am being polite here, because what I really want to say to most of you developers would shock and offend people. Lets just leave it at if you want any more of my money find a better way to protect your apps. This license verification nonsense will only work if you set it to verify after every new install once, say after the refund period expires. If its set to market verify 24 hours after every time the application is installed on a device, you will accomplish the same thing as checking every time the application loads with out the user hassle.

  • Justin Case

    Jonathan,

    Your post shows great ignorance of how LVL works, or well should work. A constant connection is not needed at all. Licenses should be stored at first checkin, the application will call the LVL and the lvl will reply "all good bro run".

  • kent

    What is the brilliant market strategy of preventing come Android devices, even in the US, from accessing the marketplace? It can't be to stop piracy can it? It certainly isn't going to stop a thief from getting the apps. I think if I were a developer, it would not make me happy. I hate it when somebody gets between me and my customer.

  • diana

    I don't understand how to do this? Am i suppose to download the patched.apk to the phone / the computer? What the hell!
    Sorry for being too slow..

  • Mike

    This is really disappointing and sad. I have ported (or rather recreated) a simple app from WP7 platform and was thinking how to monetize it. First, I was thinking ads. Tried it and hit some funny issues with viewflipper and adsControl. Although, it could be overcome by restructuring UI a bit, I was thinking ok, let's try a simple paid app with a trial mode. Damn, not worth it. I'm not ready to invest my time into custom licensing scema, hacking protection and all that crap. I was thinking Android market is a sweet place to be in. Now this thought completely evaporated. I don't know... will be staying with WP7 exlusively. And all this things are on top of non-existing Google support, tools that SUCKs big time compared to MS, lack of samples or proper documentation and a ton of other issues that just kill my productivity.

    • Microsoft Sucks.

      HAHAHAHAHA. Wait... You're serious!? Google vs MS is a non issue. Marketplace isn't perfect, but comparing Google's product line to Microsoft is rather like comparing a physicist to a cave man.

  • Mike

    Many people complain that you made this info public so easily. I would not. I'm sure want to know of any way that my app can be hacked so I can do something about it soon. In fact the job you've done should have been done by Google. They should be working they asses off to hack their own licensing approach. They also should have a ton of samples and instructions on how we developers need to protect our apps. Any loophole should be made public by Google itself ASAP along with appropriate patches/instructions, etc. If it can be fixed without updating apps, great, if not, hell, tell me what I need to do and I'll do it. It's just a lot of work for every developer to cope with. It may and probably will be more work when the functional part of many applications. Many developers are not ready to invest in this part and so it's easier to just not make the app. It could be, on the other hand, a good thing, since now it makes sence to invest time and effort into more professional, more expensive apps, with a lot of protection agains piracy (constanly updating). The loses because of piracy have no way to go but into the price of the app itself and when it does not help any more, developers will simply turn theit asses to the platform and it will die.

  • hawkmoon

    In order to work around this, I have developed a method that simply calls the license verification with dummy parameters designed to fail, set a boolean variable to verify that a failure was received once before the real verification can move forward. This way, you prove that a failure message is not overriden.

  • Mike

    Nice article. I'm a professional developer. But I disagree that it is the best we have - that implies its useful. I won't publish anymore paid apps on Android - its a broken model.

  • G

    Justin, love your work. Bringing all the cards out on the table is the only way for honest progress towards improvement (in any field).

    Unfortunately the problem of piracy will never go away because its ultimately a result of the flaws inherent in the underlying socio-economic system. For developers whose primary goal is to make money (regardless of what they plan to do with that money) - there will be poor quality apps, pirated software and a lot of angst between sellers and their customers.

    The only way to resolve the piracy issue is to make it a non-issue. When developers make apps for the purpose of improving quality of life the money will come because people who want to pay will - and the bit of piracy that occurs from those that don't want to pay will serve to spread the popularity of the apps and improve lives and the only people that will have issue with this will be those interested primarily in the making of money. (which its probably the majority because unfortunately that's the world we live in)

    The only way to completely fix piracy its to fix the underlying issues inherent in the moneytary system upon which ALL of this its built upon.

    In the meantime I say keep doing what you are doing because only with that kind of honest and full disclosure can we ever hope to achieve a better quality of life on a global scale. I wish more people had a similar attitude.

    • John

      The most popular apps tend to be the ones that get the most pirated. What you really seem to be saying is "Developers don't deserve to eat, so their families should go out and beg for food and they should write apps for the "joy" of having no income to survive."

      If you don't like an app, don't use it. Find a better one and pay for it. By pirating the app and not paying for a better app, you're encouraging developers to stay out of the market, and perpetuating the very situation you complain about.

  • Symbian

    WE WAN'T FAIRLY PRICED; GOOD AND CLEAN APPS.
    SAY NO TO:
    - APPS/O.S STEALING YOUR PRIVACY
    - DIRTY APPS/O.S WITH ADDS
    - PIRACY (if both are respected as required. Otherwise pirate - LoL)
    I hope this can be real; and only then i hope this (anti-patching scheme & anti-decompiling scheme) work out for the Future.
    By the way Justin; Great Idea. Keep up the good Work.
    Developers; in the name of thousands of customers/users PLEASE don't steal/provide customers info and do not load people with adds. That's just sick and evil. Stop being greedy and try do something people are proud of.
    If an app is usefull/good people will buy it. If you sell it for 1€ and 1 milion people bough it... Then you already know how much money you will have...
    P.S - This is fair.

  • Jez

    The Market verification is still a permission that the application requests, as such you can (on rooted devices) use terminal services applications to revoke the rights for an app to use this and gain access without having to decompile the application.

  • imox6

    Great article... Google don't forget, do good, don't be Evil.
    Help us to protect our ideas and work so the market and at the end the customer will benefit from.

  • Tom

    Good. License server validation is ALWAYS a shitty way to combat piracy. It puts paying users at a disadvantage making piracy a more attractive solution.

  • herman

    please, take a look to the following challenge: http://hackplayers.blogspot.com/2011/12/reto-14-android-crackme2.html

    Could you patch the apk in the same way??

  • Curly

    Great article.

    To all those who have complained about you posting this, then lets face facts:

    "Security through obscurity" is not a solution. It's a pitiful excuse for a poorly designed security system.

    http://en.wikipedia.org/wiki/Security_through_obscurity

  • http://This1That1Whatever.com/ David Wong

    Thanks for your very informative article. Is it worth the effort to incorporate LVL ("the best option for copy protection") given that there is at least one easy way to defeat it? In a similar thought-process, should I enable the deprecated "copy protection" option for my paid app? There is no code development effort with that option, so enabling it can easily be done. Are there side-effects or disadvantages with enabling the option?

  • Stealthy Monk

    sounds like the Author is not against piracy, but rather, against java coders not getting paid. Hmm, 7bn ppl on this planet, no coder making games should get paid, that is what stifles future development. I get the distinct feeling that most views on the topic of 'piracy' are hapless recitals of the corporate puppets who are speak inorder to disable the thought processes of the sleeping majority. In my view, albeit, not that of the sleeping majority, individuals who expect to get paid by thousands of users to continue their endeavours are coding for all the wrong reasons, and deserve security curcumvention. Still expect to get paid? Move over, there's another 7bn waiting.

    Stealthy Monk
    Circumventing software security since 1978

  • Afrojack

    What Programm you used on the computer?

    • Afrojack

      HELP ME PLEASE?

  • kennywyland

    My biggest problem with the LVL isn't about how easily it can be circumvented, but with how often it fails for TRUE LICENSED users. The responses I get back in my customized ServerManagedPolicy are more Server Error responses than anything else. I've really tried to find a good balance between protecting my app without rejecting my legit users, but it's a lost cause. My single biggest customer support complaint is about licensing.

    • Justin Case

      To be honest, I've ceased using LVL for other reasons, but I did not run into many errors like this when I did use it.

  • http://www.facebook.com/people/Per-Inge-Oestmoen/1340019397 Per Inge Oestmoen

    Recently I have decided to consistently delete apps which check the license after I have purchased that license. I consider such license control a violation of my equipment and thereby of my property.

    Needless to say I do not own the program, nor do I claim to do so. However, when a license is purchased then I politely ask the program to behave - that is refrain from any dependence on checks and controls in order to be used. I shall also encourage other people to take a similar stand.

  • Blake Good

    FUCK U GOOGLE!

  • Herbert

    When I read stuff like "confirm that an app was installed through official means", or "protect against out of market installs and unauthorized modifications of apps", I must agree with a previous poster who said that you are coding for all the wrong reasons. The kind of DRM you are proposing will ultimately lead to devices that are solely controlled by their manufacturerers and not by their rightful owners who paid their hard earned money for them. What if there is a bug that the manufacturer refuses to fix, as is in fact the case with my TV? The firmware is encrypted, because some assholes are shitting themselves at the thought that somone might steal their crappy movie from an "unprotected" TV. The manufacturer doesn't give a crap about last years model and I have to live with a botched up, bug ridden firmware on my TV. If that's the world you want to live in, go ahead and continue your fight against free (as in free speach, not free beer!) software.

    But anyway, thanks for teaching me how to pirate Android Apps! The only other information I found on this subject was obviously written by a 14 year old who doesn't speak english.

  • Mathieu V

    Dude, going out on vacation and having paid apps NOT WORK BECAUSE OF THAT STUPID PERIODIC CHECK makes me want to throw the phone out the window and get that stupid Iphone that won't have to do that.

    I like the liberty of android. I pay for apps. I have lots of them, all paid. When my music player won't work on the plane because of that licence check, I pass a very long time on the plane with no music player,

    screw piracy. and screw that check. it shouldn't even exist.

    • Justin Case

      The check is fine, as long as it is implemented properly. It should NOT be checked each time the app is ran. The problem you are describing is a programmer not knowing how to implement it correctly. It should handle the case that the device isn't online, and use cached credentials isntead.

      • kennywyland

        The sample code provided by Google suggests that we're supposed to check it every time because the caching is supposed to happen inside the Google Play app (which is what does the license checking). Google's code is supposed to handle the caching and return a good code to us.

        • Justin Case

          Correct, but I have seen (not recently) developers still screwing it up. Particularly some using a remote server as part of the verification.

          • kennywyland

            But THAT is what is constantly failing. Google Play's validation and caching CONSTANTLY fails for legitimate users. It is the single biggest complaint I've received about my app for the last 3 years. I eventually had to implement my own method for checking because I couldn't depend on Google's to work at all.

          • Justin Case

            it did work when I used it, but I've moved most of my work of the google market, many of my apps violate Google's terms, and being a niche app, I can go with other payment choices and avoid the huge 30% cut google gets.

          • Justin Case

            Kenny, is 10bii Fin Calc the app you are referring to?

Quantcast