Today I awoke to see a response from Tim Bray on the Android Developer's Blog regarding my previous article on circumventing the Android License Verification Library, and I almost completely agree with him. The License Verification Library is a very good start - above and beyond what, if anything, Google owes developers. Copy protection is and should be the responsibility of the developer. Google has given us a great tool, provided thorough documentation, and even open sourced the project.

However, what I don't agree with in Mr. Bray's post was his calling my article a "how-to-pirate piece," as this was not my intent at all. I wished to draw attention to the issue, so fellow developers would know that more needs to be done on top of their using the License Verification Library. The average pirate likely does not know enough to hand patch an app, and the ones that do probably figured this out before I did.

Tim Bray stated in his post,

Some developers are using this sample as-is, which makes their applications easier to attack.

The failure clearly was not Google's Licensing Service, rather, it was how developers implemented Google's License Verification Library that interacts with the service. Instead of taking Google's examples and creating a custom library and implementation of it, many developers chose to drag and drop example code into applications. Using the identical, freely available, sample code across multiple applications, developers left a clear picture of what the code was doing, and allowed the same patch methods to be used across multiple applications.

Also from Bray's post,

The attacks we’ve seen so far are also all on applications that have neglected to obfuscate their code, a practice that we strongly recommend. We’ll be publishing detailed instructions for developers on how to do this.

I looked at two popular applications, Tasker and Galcon (The only game I have played in many years! Buy a copy!), both using the License Verification Library, and both seem to have been protected with ProGuard to optimize and obfuscate their code. Sadly, like every other LVL protected app I have seen, the protection can be patched out. Automatic obfuscation does not do much to hinder a would-be cracker. Tasker seems to have the best implementation of LVL I have found so far, and the developer was kind enough to share these tips:

- don't mention validation anywhere until it's necessary
- don't allow validation till after the refund period
- allow use of all features even when unvalidated
- start trying to validate automatically in the background after the refund period
- don't start nagging till a few days have passed without a successful background check
- don't block the program until a few days more have passed
- a single positive validation answer is enough, it's never checked again (unless completely uninstalled)

Another Android Developer at Google, RomainGuy, seemingly responded to my piece yesterday with an article over at GamaSutra on copy and crack protection. If you are interested in copy protection and crack prevention please give it read - not only is it very entertaining, but it's very informative as well. The article suggests that multiple layers of protection must be used, and that it is impossible to prevent cracking - it is only possible to make it not worth the pirates time.

All in all, the developers at Google have done a fantastic job with the Android Licensing Service. I am successfully using it in a commercial application and plan to continue using an implementation of it.

I will leave you developers with a simple trick I found to help add another layer of protection to your applications. Google has made it possible for developers to check how an application was installed, using PackageManager. The following code is a quick, incomplete example. It could be written better, and it is not fool proof. Pirates may just patch it out, or change packages.xml, but every little bit makes it harder. This example will only work on devices supporting API 5 and up, and may prevent users from using app backup software.

PackageManager pm = this.getPackageManager();
if (pm.getInstallerPackageName(pname) == null) {    
//Not installed from Android Market
} else if (pm.getInstallerPackageName(pname).equals("com.google.android.feedback")) {    
//Appears to be installed from the Android Market

Join the discussion over at Droid Forums!

Justin Case
Justin Case is a 30yr old father of four. He has an ever changing array of Android devices, and an eye for mobile security.
  • http://www.gradweil.de alvinx

    What is wrong with backup software if I purchased an app ???

    • Justin Case

      Nothing except it is always better to grab the latest from the developer.

    • http://www.twitter.com/colinodell Colin O’Dell

      Backup software re-installs apps the same way a pirate would load an app. Justin's code shouldn't be used as standalone piracy prevention. I could see it working great alongside LVL though if obfuscated well.

      Also, I think that code is a perfect example of anti-piracy tools prior to LVL's release - unreliable and easily cracked. I agree with both bloggers that LVL is a step in the right direction and I'm excited to see where Google takes this in the future.

      • Justin Case

        I think the little trivial things, on top of LVL, could help make an app to annoying to crack. Who is going to spend 12hours cracking a 99cent app?

        • http://www.gradweil.de alvinx

          People will crack it, just for the fame in the scene.

    • http://www.gradweil.de alvinx

      backup software often saved my day, especially when I run out of diskspace which is often the case on android phones with a bunch of apps installed.
      I like to backup&uninstall apps to gain temporary diskspace, f.e. to test another big app, and like to reinstall my purchased app if I need it, without redownloading from the market, which also costs traffic.

      • Justin Case

        Sometimes, you have to do something negative to achieve something positive.

        Backups could be a cost of copy protection.

        • http://androidbook.blogspot.com Shane

          Agreed, but it need not be a cost to the average user.

          Developers can now just implement cloud-based Backup and Restore for data (well, for 2.2 and up, but it could be done manually, too).

          If done properly, it should eliminate the need for external backup. Say, you lose your phone: you just go to the market on a new phone, download the app again (you are not charged if you've already purchased it), and the data will be restored.

          Done! :)

  • another one

    I will...lol..for kicks

    • Kane

      You will spend 12 hours cause you suck at programming. And pressing the properly threaded Reply buttons.

  • http://www.ahdchild.com a_str8

    No matter how good your intentions are, instructions on how to crack an app are instructions on how to crack an app. I'm not a developer, so I can't really judge how necessary the detailed directions were, hut you shouldn't be Max at Tim Breay for calling it what it is

    • Justin Case

      How am I mad at Tim Bray? I agreed with 99% of his post, and I am diffidently not mad at him in anyway. I think you mis read my article.

      • http://www.ahdchild.com a_str8

        I responded below. Sorry, on the mobile version of the page, the comments didn't show up as threaded. Blame the typos on my phone too. :)

    • http://twitter.com/tokyomonster Chris Dehghanpoor

      But look at what happened in response -- Google has committed to helping developers implement the LVL in a way that is harder to crack, and developers everywhere know not to simply slap in the sample code provided by Google.

      • Justin Case

        I really can't wait to see what comes next, the foundation is here. All we need is the walls.

  • http://www.bongizmo.com/blog/ Sergey Povzner

    While your original article is not just a "how-to-pirate piece", you obviously included quite detailed "how-to-pirate" section.

    Advising developers on how to better protect their apps is beneficial to Android community. Publicly publishing details of a hack to break a licensing server - not so much. Did you try to contact Google directly before publishing your article?

    • Justin Case

      Anyone able to hand patch an app, could look at it and see the problem. I was just stating the obvious. Do you really think Google didn't know? The people they have working there are smarting than any of us, and get paid to do this all day.

      • Idiot Savant

        It's rather tragic that you're bringing a fourth replicant of your tardism into this world. Will you continue to refuse to see what an epic idiot you were?

        • Justin Case

          Your post shows a lack of intelligence on your part, and coward-ism since you failed to identify yourself, and to insult my unborn child.

  • Tangential

    I realized that, having other platforms that do have a great deal of pirated software out there...which I admit I have used in the past, yes to try out but sometimes because of affordability. However, on Android, I have to admit I have never sought it. I am not sure if it is the more dev orientated marketplace or actually, a great deal of the time, the fact that if I pay for an app and it is not at all what I want I can receive a refund...
    Personally, I don't feel a strong need to seek out the pirate software because first, there are few apps that are overpriced, second, the devs seem to be the base rather than a, for lack of a better term, "commercial" approach, and finally I know if I download an app/game and don't like it, don't feel it is worth it I simply uninstall it.
    Know this is off topic from the technical side of things but thought I would add a user side input...
    Maybe others have other thoughts (besides the fact that in my youth I did opt for the less legal approach)...is it android or me?

  • Smith

    Way to blow the whole piracy issue well out of proportion.

    Piracy has existed since the days when it was a matter of copying files to a floppy disk, using a CD-Rewriter to copy games and even prior to that.

    It's something that will continue to exist, and no matter what prevention methods Google take, they will be bypassed one way or another.

    By I think the LVL is a great idea, but going beyond that and trying to block off any alternative install methods and so on is a purely ridiculous idea and I can see myself quickly leaving the Android scene (as a developer, user, writer and general fanboy).

    There's people in countries without access to the Market. What would they do if they had to be forced to buy apps from the Market?

    As a developer I enjoy working on my apps, rather than spending just as much time to make it safe against pirates. All my apps are priced fairly, and I know that I'm receiving maximum potential sales. Just because people can't download a pirated version of my app, doesn't mean they'll go any buy it instead.

    I love Titanium Backup. It has to be one of my most favoured Android apps, yet your propositions make something that's almost essential to any Android dev completely useless. It's great to know I can root, tweak, install alternate ROMs all without the worry of losing my apps and their settings. It's a convenient way to batch backup and restore my apps.

    I also buy a new Android phone every 3 months, and it's good to use Titanium to transfer all my apps and settings to the new phone. With your idea, I'd lose all my apps each time I got a new phone.

    A lot of the time an app update is released which causes FC's, or is generally very buggy. At times like that it's handy to have backups that I can revert to until a more stable version of that update is released. This too would become an ability I'd lose if all devs did what you're suggesting.

    I love Android for it's open distribution methods. The fact that users aren't tied to using the Market to get their apps. A developer can sell their app on a website, the Market or both. We've seen Gameloft selling their games on their site only. I'd like the opportunity to maintain the ability to do so. The last thing I want is the Android Market to become another iTunes.

    As I said from the start, LVL is a great idea. However, the suggestion that developers should force their apps to be installed from the Market is a step in the wrong direction and a sign of worse things to come for Android.

    I know what you're saying is only a suggestion, but it would be better if you made such suggestions after considering the possible implications of implementation of that idea.

    • limgad

      The snippet that prevents manual installation is supposed to kick in if another pirate-prevention mechanism sees a red flag. For example:
      The user has not bought it from the market.
      If the app is self-installed block it (or make it lag, whatever).
      If you have actually bought an app, and backed it up, you still have the licence. Therefore, this mechanism should not matter.
      (at least that's how I see it)

  • http://www.ahdchild.com a_str8

    Justin - please excuse my exaggeration. I didn't mean to say you are literally mad. I meant I don't think you should fault Tim Bray for calling it a how-to-pirate piece because you did actually give detailed instructions on how to pirate.

    • PacoBell

      "Anyone able to hand patch an app, could look at it and see the problem. I was just stating the obvious."

      What part of "stating the obvious" don't you get? Like Justin said, anyone reasonably skilled in the field already knows this. At this point, full disclosure helps us more than it hurts us.

      • http://www.ahdchild.com a_str8

        Paco, the only point I made was that there were detailed instructions on how to pirate an android app. I didn't say full disclosure hurt us, I didn't say it wasn't stating the obvious. You're looking for a argument where there is none.

  • another one

    Crack impossible level game if its so easy. It has numerous dem and lvl. Much more than I want to go through. Your mom hit the reply button for me

  • Gino

    You should take down these posts. Here's an analogy: Suppose you published instructions on how to physically break into a bank and steal money without getting caught. Of course you wouldn't do such a thing and you are simply describing it in order to expose the security flaws in the bank.
    Now, you've exposed the bank to additional risk because of your actions. Many people who would not have tried because it seemed too difficult may now try because it seems so easy.
    Similarly, if you make it too easy to break a license, more people will try to break it.
    It's probably impossible to create a totally secure license checker -- all one can do is make it costly enough in terms of energy and time expended as well as legal implications, so that most people don't.

    Now, because you have chosen a certain point of view and have committed to it, it's pretty much impossible for you to be objective about what you have posted.
    You need to get objective advice from people whose judgements you respect.