Google's Android Licensing Scheme Cracked

Developers should obfuscate their code and take steps beyond those explained in the Android Market Licensing reference implementation, Google advises.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 24, 2010

3 Min Read
InformationWeek logo in a gray background | InformationWeek

Introduced less than a month ago, Android Market Licensing is a network-based service that allows Android developers to check whether a given user has been licensed to use a given Android app.

Google deployed the service in an effort to help Android developers deal with unauthorized copying of their apps, a longstanding sore spot in the Android developer community.

Jeff LaMarche, a well-known Mac OS X and iPhone developer, last month predicted that Google's copy protection scheme could be easily circumvented and now his prediction has been realized: A security researcher identified as Justin Case has posted details on the Android Police Web site about how to bypass the Android License Verification Library.

"Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution," Case wrote. "By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts."

Using an assembler/disassembler suite called "smali/baksmali," Case shows how an Android License Verification Library file can be altered so that its license appears to be valid.

"The current situation with piracy in our community is out of control, and only set to get worse as the platform grows," he concludes.

Google's developer documentation makes it clear that the Android licensing system scheme isn't perfect.

"Although no license mechanism can completely prevent all unauthorized use, the licensing service lets you control access for most types of normal usage, across all compatible devices, locked or unlocked, that run Android 1.5 or higher version of the platform," Google's Android developer guide says.

Android developer advocate Tim Bray reiterated this point in a blog post addressing Case's article.

"Android Market is already a responsive, low-friction, safe way for developer to get their products to users," he wrote. "The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction."

In a statement, a company spokesperson explained that the Android licensing scheme is best implemented with additional security measures.

"The License Verification Library (LVL) is a copy protection component," a Google spokesperson said in an e-mail. "The LVL provided is a source code reference implementation which is designed to be easily understood and incorporated by developers. To increase the protection of applications, developers can add additional components such as obfuscating application code or altering the reference implementation."

Yet Google's developer documentation makes it clear that Android's licensing system is not a copy protection system, perhaps because copy protection systems can always be defeated.

"This licensing service operating real time over the network provides more flexibility in choosing license-enforcement strategies, and a more secure approach in protecting your applications from unauthorized use, than copy protection," the developer documentation explains.

Google appears to be hoping developers will use its tools to try to convert unauthorized copies into authorized ones, rather than try to defend that which cannot be defended.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights