Android Apps Need Universal Encryption
Google's encryption for paid apps isn't enough to protect developers and users, argues author Godfrey Nolan.
"From Jelly Bean and forward, paid apps in Google Play are encrypted with a device-specific key before they are delivered and stored on the device," the company said. "We know you work hard building your apps. We work hard to protect your investment."
Godfrey Nolan, author of the newly released book Decompiling Android (Apress, 2012), argues that Google should work harder and extend encryption to both paid and free Android apps distributed through Google Play.
Unauthorized app copying is a problem for both iOS and Android developers, but it's particularly acute in the Android ecosystem due to the relative openness of Android devices and a customer base that appears to be more prone than iOS customers to see nothing wrong with unlawful copying.
[ Security risks or not, Android is charging ahead in the smartphone race. Read Android Strengthens Lead Over U.S. Smartphone Rivals. ]
A September 2011 report from the Yankee Group found that out of 75 Android developers surveyed, 27% see piracy as a huge problem and another 26% see it as somewhat of a problem. Carl Howe, Yankee Group director of research and author of the report, characterized the Android app environment as the "Wild West."
Nolan's argument is based on the fact that it's extremely easy to decompile Android apps to obtain a close approximation of the original source code. That doesn't make it any easier to copy Android apps--that's already fairly simple--but it does pose a security risk as more and more apps rely on backend services.
"If [your application] contains any clues to gaining access to backend systems, such as API keys or database logins, or if your application has any customer information that needs to be secure, then you owe it to your customers to take basic steps to protect your code," he wrote in his book.
For iOS developers, decompilation isn't an issue. "iOS apps are prone to disassembly, not decompilation, which means you get the hexadecimal binary back but not the source code," explained Nolan in an email. "So with iOS you might be able to see some strings but not anywhere near the entire source code."
There are already steps Android developers can take to protect their code, such as code obfuscation, but encryption for all Android apps available through Google Play would add an extra layer of protection.
Black Hat USA Las Vegas, the premiere conference on information security, features four days of deep technical training followed by two days of presentations from speakers discussing their latest research around a broad range of security topics. At Caesars Palace in Las Vegas, July 21-26. Register today.