Mobile
News
7/13/2012
05:13 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Android Apps Need Universal Encryption

Google's encryption for paid apps isn't enough to protect developers and users, argues author Godfrey Nolan.

Google I/O: 10 Awesome Visions
Google I/O: 10 Awesome Visions
(click image for larger view and for slideshow)
At its developer conference last month, Google announced that apps created with Android 4.1 or greater and distributed for a fee through Google Play will be armored against piracy.

"From Jelly Bean and forward, paid apps in Google Play are encrypted with a device-specific key before they are delivered and stored on the device," the company said. "We know you work hard building your apps. We work hard to protect your investment."

Godfrey Nolan, author of the newly released book Decompiling Android (Apress, 2012), argues that Google should work harder and extend encryption to both paid and free Android apps distributed through Google Play.

Unauthorized app copying is a problem for both iOS and Android developers, but it's particularly acute in the Android ecosystem due to the relative openness of Android devices and a customer base that appears to be more prone than iOS customers to see nothing wrong with unlawful copying.

[ Security risks or not, Android is charging ahead in the smartphone race. Read Android Strengthens Lead Over U.S. Smartphone Rivals. ]

A September 2011 report from the Yankee Group found that out of 75 Android developers surveyed, 27% see piracy as a huge problem and another 26% see it as somewhat of a problem. Carl Howe, Yankee Group director of research and author of the report, characterized the Android app environment as the "Wild West."

Nolan's argument is based on the fact that it's extremely easy to decompile Android apps to obtain a close approximation of the original source code. That doesn't make it any easier to copy Android apps--that's already fairly simple--but it does pose a security risk as more and more apps rely on backend services.

"If [your application] contains any clues to gaining access to backend systems, such as API keys or database logins, or if your application has any customer information that needs to be secure, then you owe it to your customers to take basic steps to protect your code," he wrote in his book.

For iOS developers, decompilation isn't an issue. "iOS apps are prone to disassembly, not decompilation, which means you get the hexadecimal binary back but not the source code," explained Nolan in an email. "So with iOS you might be able to see some strings but not anywhere near the entire source code."

There are already steps Android developers can take to protect their code, such as code obfuscation, but encryption for all Android apps available through Google Play would add an extra layer of protection.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CoryatJohn
50%
50%
CoryatJohn,
User Rank: Apprentice
7/16/2012 | 4:12:49 PM
re: Android Apps Need Universal Encryption
Piracy of Android apps isn't a real problem but one of perception. Piracy is probably on the order of 1% or less, so any countermeasures implemented will hardly increase sales and most likely will cause huge headaches for developers as uses experience crashes. LVL was introduced with great fanfare and all it did was cause headaches for those developers crazy enough to add it to their app.

The in-app purchase system Google introduced last year is a secure system that is difficult to spoof. Developers who are using this system, especially the unmanaged items are experiencing virtually zero piracy. Our app, which is in the top 300 in popularity and grossing has had zero issues with piracy.

Adding another layer of complication to an already fragmented and difficult to control ecosystem will add nothing but confusion and cost to Android.
mrao30001
50%
50%
mrao30001,
User Rank: Apprentice
7/16/2012 | 3:22:52 PM
re: Android Apps Need Universal Encryption
What I'd like to see is some kind of survey or research done to see how much of a problem Android really has with piracy as opposed to asking developers how bad they *think* piracy is on Android. I'm sure that there will be some people who will use pirated apps even if they are just 99c or 10c for that matter. Those folks are not going to be buying apps anyway. But how many people who would otherwise have bought apps, but didn't because they use pirated apps? If they are not concerned with Karma, then the lack of encryption and the ease with which malware/viruses could be added to decompiled pirated apps should give them pause. The market will take care of this. I always find that adding activation and crap like that consumes more resources without really fixing the problem. Encryption is not a solution for poorly coded apps that expose customer information.

Edit: Here's a good article on making it difficult for automated injection of malware - http://www.develop-online.net/...
Devon Jones
50%
50%
Devon Jones,
User Rank: Apprentice
7/16/2012 | 2:51:05 PM
re: Android Apps Need Universal Encryption
Why exactly do I want to be forced to use crypto on my Open Source app I have on the market? How exactly does that benefit me?
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.