Android Apps Need Universal Encryption - InformationWeek
05:13 PM
Connect Directly

Android Apps Need Universal Encryption

Google's encryption for paid apps isn't enough to protect developers and users, argues author Godfrey Nolan.

Google I/O: 10 Awesome Visions
Google I/O: 10 Awesome Visions
(click image for larger view and for slideshow)
At its developer conference last month, Google announced that apps created with Android 4.1 or greater and distributed for a fee through Google Play will be armored against piracy.

"From Jelly Bean and forward, paid apps in Google Play are encrypted with a device-specific key before they are delivered and stored on the device," the company said. "We know you work hard building your apps. We work hard to protect your investment."

Godfrey Nolan, author of the newly released book Decompiling Android (Apress, 2012), argues that Google should work harder and extend encryption to both paid and free Android apps distributed through Google Play.

Unauthorized app copying is a problem for both iOS and Android developers, but it's particularly acute in the Android ecosystem due to the relative openness of Android devices and a customer base that appears to be more prone than iOS customers to see nothing wrong with unlawful copying.

[ Security risks or not, Android is charging ahead in the smartphone race. Read Android Strengthens Lead Over U.S. Smartphone Rivals. ]

A September 2011 report from the Yankee Group found that out of 75 Android developers surveyed, 27% see piracy as a huge problem and another 26% see it as somewhat of a problem. Carl Howe, Yankee Group director of research and author of the report, characterized the Android app environment as the "Wild West."

Nolan's argument is based on the fact that it's extremely easy to decompile Android apps to obtain a close approximation of the original source code. That doesn't make it any easier to copy Android apps--that's already fairly simple--but it does pose a security risk as more and more apps rely on backend services.

"If [your application] contains any clues to gaining access to backend systems, such as API keys or database logins, or if your application has any customer information that needs to be secure, then you owe it to your customers to take basic steps to protect your code," he wrote in his book.

For iOS developers, decompilation isn't an issue. "iOS apps are prone to disassembly, not decompilation, which means you get the hexadecimal binary back but not the source code," explained Nolan in an email. "So with iOS you might be able to see some strings but not anywhere near the entire source code."

There are already steps Android developers can take to protect their code, such as code obfuscation, but encryption for all Android apps available through Google Play would add an extra layer of protection.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/16/2012 | 4:12:49 PM
re: Android Apps Need Universal Encryption
Piracy of Android apps isn't a real problem but one of perception. Piracy is probably on the order of 1% or less, so any countermeasures implemented will hardly increase sales and most likely will cause huge headaches for developers as uses experience crashes. LVL was introduced with great fanfare and all it did was cause headaches for those developers crazy enough to add it to their app.

The in-app purchase system Google introduced last year is a secure system that is difficult to spoof. Developers who are using this system, especially the unmanaged items are experiencing virtually zero piracy. Our app, which is in the top 300 in popularity and grossing has had zero issues with piracy.

Adding another layer of complication to an already fragmented and difficult to control ecosystem will add nothing but confusion and cost to Android.
User Rank: Apprentice
7/16/2012 | 3:22:52 PM
re: Android Apps Need Universal Encryption
What I'd like to see is some kind of survey or research done to see how much of a problem Android really has with piracy as opposed to asking developers how bad they *think* piracy is on Android. I'm sure that there will be some people who will use pirated apps even if they are just 99c or 10c for that matter. Those folks are not going to be buying apps anyway. But how many people who would otherwise have bought apps, but didn't because they use pirated apps? If they are not concerned with Karma, then the lack of encryption and the ease with which malware/viruses could be added to decompiled pirated apps should give them pause. The market will take care of this. I always find that adding activation and crap like that consumes more resources without really fixing the problem. Encryption is not a solution for poorly coded apps that expose customer information.

Edit: Here's a good article on making it difficult for automated injection of malware -
Devon Jones
Devon Jones,
User Rank: Apprentice
7/16/2012 | 2:51:05 PM
re: Android Apps Need Universal Encryption
Why exactly do I want to be forced to use crypto on my Open Source app I have on the market? How exactly does that benefit me?
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll