Google's Android Licensing Scheme Cracked - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Operating Systems
02:02 PM
Connect Directly

Google's Android Licensing Scheme Cracked

Developers should obfuscate their code and take steps beyond those explained in the Android Market Licensing reference implementation, Google advises.

Introduced less than a month ago, Android Market Licensing is a network-based service that allows Android developers to check whether a given user has been licensed to use a given Android app.

Google deployed the service in an effort to help Android developers deal with unauthorized copying of their apps, a longstanding sore spot in the Android developer community.

Jeff LaMarche, a well-known Mac OS X and iPhone developer, last month predicted that Google's copy protection scheme could be easily circumvented and now his prediction has been realized: A security researcher identified as Justin Case has posted details on the Android Police Web site about how to bypass the Android License Verification Library.

"Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution," Case wrote. "By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts."

Using an assembler/disassembler suite called "smali/baksmali," Case shows how an Android License Verification Library file can be altered so that its license appears to be valid.

"The current situation with piracy in our community is out of control, and only set to get worse as the platform grows," he concludes.

Google's developer documentation makes it clear that the Android licensing system scheme isn't perfect.

"Although no license mechanism can completely prevent all unauthorized use, the licensing service lets you control access for most types of normal usage, across all compatible devices, locked or unlocked, that run Android 1.5 or higher version of the platform," Google's Android developer guide says.

Android developer advocate Tim Bray reiterated this point in a blog post addressing Case's article.

"Android Market is already a responsive, low-friction, safe way for developer to get their products to users," he wrote. "The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction."

In a statement, a company spokesperson explained that the Android licensing scheme is best implemented with additional security measures.

"The License Verification Library (LVL) is a copy protection component," a Google spokesperson said in an e-mail. "The LVL provided is a source code reference implementation which is designed to be easily understood and incorporated by developers. To increase the protection of applications, developers can add additional components such as obfuscating application code or altering the reference implementation."

Yet Google's developer documentation makes it clear that Android's licensing system is not a copy protection system, perhaps because copy protection systems can always be defeated.

"This licensing service operating real time over the network provides more flexibility in choosing license-enforcement strategies, and a more secure approach in protecting your applications from unauthorized use, than copy protection," the developer documentation explains.

Google appears to be hoping developers will use its tools to try to convert unauthorized copies into authorized ones, rather than try to defend that which cannot be defended.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll