Google's Android Licensing Scheme Cracked - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Operating Systems
News
8/24/2010
02:02 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google's Android Licensing Scheme Cracked

Developers should obfuscate their code and take steps beyond those explained in the Android Market Licensing reference implementation, Google advises.

Introduced less than a month ago, Android Market Licensing is a network-based service that allows Android developers to check whether a given user has been licensed to use a given Android app.

Google deployed the service in an effort to help Android developers deal with unauthorized copying of their apps, a longstanding sore spot in the Android developer community.

Jeff LaMarche, a well-known Mac OS X and iPhone developer, last month predicted that Google's copy protection scheme could be easily circumvented and now his prediction has been realized: A security researcher identified as Justin Case has posted details on the Android Police Web site about how to bypass the Android License Verification Library.

"Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution," Case wrote. "By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts."

Using an assembler/disassembler suite called "smali/baksmali," Case shows how an Android License Verification Library file can be altered so that its license appears to be valid.

"The current situation with piracy in our community is out of control, and only set to get worse as the platform grows," he concludes.

Google's developer documentation makes it clear that the Android licensing system scheme isn't perfect.

"Although no license mechanism can completely prevent all unauthorized use, the licensing service lets you control access for most types of normal usage, across all compatible devices, locked or unlocked, that run Android 1.5 or higher version of the platform," Google's Android developer guide says.

Android developer advocate Tim Bray reiterated this point in a blog post addressing Case's article.

"Android Market is already a responsive, low-friction, safe way for developer to get their products to users," he wrote. "The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction."

In a statement, a company spokesperson explained that the Android licensing scheme is best implemented with additional security measures.

"The License Verification Library (LVL) is a copy protection component," a Google spokesperson said in an e-mail. "The LVL provided is a source code reference implementation which is designed to be easily understood and incorporated by developers. To increase the protection of applications, developers can add additional components such as obfuscating application code or altering the reference implementation."

Yet Google's developer documentation makes it clear that Android's licensing system is not a copy protection system, perhaps because copy protection systems can always be defeated.

"This licensing service operating real time over the network provides more flexibility in choosing license-enforcement strategies, and a more secure approach in protecting your applications from unauthorized use, than copy protection," the developer documentation explains.

Google appears to be hoping developers will use its tools to try to convert unauthorized copies into authorized ones, rather than try to defend that which cannot be defended.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
News
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
Slideshows
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Slideshows
Flash Poll