Google's encryption for paid apps isn't enough to protect developers and users, argues author Godfrey Nolan.
Google I/O: 10 Awesome Visions
(click image for larger view and for slideshow)
At its developer conference last month, Google announced that apps created with Android 4.1 or greater and distributed for a fee through Google Play will be armored against piracy.
"From Jelly Bean and forward, paid apps in Google Play are encrypted with a device-specific key before they are delivered and stored on the device," the company said. "We know you work hard building your apps. We work hard to protect your investment."
Godfrey Nolan, author of the newly released book Decompiling Android (Apress, 2012), argues that Google should work harder and extend encryption to both paid and free Android apps distributed through Google Play.
Unauthorized app copying is a problem for both iOS and Android developers, but it's particularly acute in the Android ecosystem due to the relative openness of Android devices and a customer base that appears to be more prone than iOS customers to see nothing wrong with unlawful copying.
A September 2011 report from the Yankee Group found that out of 75 Android developers surveyed, 27% see piracy as a huge problem and another 26% see it as somewhat of a problem. Carl Howe, Yankee Group director of research and author of the report, characterized the Android app environment as the "Wild West."
Nolan's argument is based on the fact that it's extremely easy to decompile Android apps to obtain a close approximation of the original source code. That doesn't make it any easier to copy Android apps--that's already fairly simple--but it does pose a security risk as more and more apps rely on backend services.
"If [your application] contains any clues to gaining access to backend systems, such as API keys or database logins, or if your application has any customer information that needs to be secure, then you owe it to your customers to take basic steps to protect your code," he wrote in his book.
For iOS developers, decompilation isn't an issue. "iOS apps are prone to disassembly, not decompilation, which means you get the hexadecimal binary back but not the source code," explained Nolan in an email. "So with iOS you might be able to see some strings but not anywhere near the entire source code."
There are already steps Android developers can take to protect their code, such as code obfuscation, but encryption for all Android apps available through Google Play would add an extra layer of protection.
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.