Google's Android Licensing Scheme Cracked

Developers should obfuscate their code and take steps beyond those explained in the Android Market Licensing reference implementation, Google advises.
Introduced less than a month ago, Android Market Licensing is a network-based service that allows Android developers to check whether a given user has been licensed to use a given Android app.

Google deployed the service in an effort to help Android developers deal with unauthorized copying of their apps, a longstanding sore spot in the Android developer community.

Jeff LaMarche, a well-known Mac OS X and iPhone developer, last month predicted that Google's copy protection scheme could be easily circumvented and now his prediction has been realized: A security researcher identified as Justin Case has posted details on the Android Police Web site about how to bypass the Android License Verification Library.

"Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution," Case wrote. "By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts."

Using an assembler/disassembler suite called "smali/baksmali," Case shows how an Android License Verification Library file can be altered so that its license appears to be valid.

"The current situation with piracy in our community is out of control, and only set to get worse as the platform grows," he concludes.

Google's developer documentation makes it clear that the Android licensing system scheme isn't perfect.

"Although no license mechanism can completely prevent all unauthorized use, the licensing service lets you control access for most types of normal usage, across all compatible devices, locked or unlocked, that run Android 1.5 or higher version of the platform," Google's Android developer guide says.

Android developer advocate Tim Bray reiterated this point in a blog post addressing Case's article.

"Android Market is already a responsive, low-friction, safe way for developer to get their products to users," he wrote. "The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction."

In a statement, a company spokesperson explained that the Android licensing scheme is best implemented with additional security measures.

"The License Verification Library (LVL) is a copy protection component," a Google spokesperson said in an e-mail. "The LVL provided is a source code reference implementation which is designed to be easily understood and incorporated by developers. To increase the protection of applications, developers can add additional components such as obfuscating application code or altering the reference implementation."

Yet Google's developer documentation makes it clear that Android's licensing system is not a copy protection system, perhaps because copy protection systems can always be defeated.

"This licensing service operating real time over the network provides more flexibility in choosing license-enforcement strategies, and a more secure approach in protecting your applications from unauthorized use, than copy protection," the developer documentation explains.

Google appears to be hoping developers will use its tools to try to convert unauthorized copies into authorized ones, rather than try to defend that which cannot be defended.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer