Editor’s Note: The following article is reprinted from Network World.
Android’s growing success as a smartphone operating system is bringing a long-simmering problem to light: A lot of Android applications are being pirated. The openness of the platform has made it easy for people to steal applications without paying for them.
Until very recently, it was easy to strip rudimentary copy protection from applications offered on the Android Market Web site, and then use, offer or even sell the software as your own. The problem isn’t new, and Google has taken much more aggressive steps in 2010 to make it harder to pirate Android apps.
But the growing popularity of the OS with enterprise users and developers is creating greater urgency, as pirated code robs developers of revenue and the incentive to remain committed Android. (See Android Set to Rule Over Apple and RIM Operating Systems.)
Network World’s Android Angle blogger, Mark Murphy, bluntly noted a year ago that “Right now, it is very straightforward—if you publish on Android Market, your application will be made available for free download outside of the Market.” He added, “This is part and parcel of having an open environment like Android.” The then-current Android Market copy protection mechanisms “have been demonstrated to be ineffective.”
One Android developer, with the handle Chimaera, reported his first app was pirated within a month, and the pirates’ download statistics were more impressive than his own. The crowning indignity: Trying to get file servers to remove the pirated software was frustratingly complicated. “They made you feel as [if] you are the offender,” he wrote.
What’s especially galling to professional developers is watching sales plunge as piracy rates soar. “The current issue we face with Android is rampant piracy, and we’re working to provide hacking counter measures, a difficult task,” says Jean Gareau, founder of VidaOne, an Austin, Texas, software company that specializes in health and fitness applications for a variety of operating systems.
One developer, “Dave,” of KeyesLabs, argued in an online forum that a “culture of cheating” was developing around the OS.
KeyesLabs created a Android utility called Screebl. In a recent blog post, the company reported: “Over time … we began to notice a dramatic increase in the number of pirated versions of Screebl Pro, accompanied by a decrease in sales. Lately our piracy rates have spiked as high as 90 percent on some days.” In some cases, it took only minutes after a new version was posted for pirated code to appear.”
KeyesLabs created its own licensing protection, called Automatic Application Licensing (AAL), and began bundling it with Screebl Pro. “The purpose of AAL is to allow painless verification that the user of Screebl Pro actually purchased the app from the Android Market. We’ve taken this step to attempt to put a stop to the insane levels of piracy that Screebl has seen, and so far, things seem to be working out nicely.”
Some have argued that piracy is rampant in those countries where the online Android Market is not yet available. But a recent KeyesLabs research project suggests that may not be true. KeyesLabs created a rough methodology to track total downloads of its apps, determine which ones were pirated, and the location of the end users. The results were posted in August, along with a “heat map” showing pirate activity.
“Over the course of 90 days, the app was installed a total of 8,659 times. Of those installations only 2,831 were legitimate purchases, representing an overall piracy rate of over 67 percent. For my app, the largest contributor to piracy, by far, is the United States providing 4,054 or about 70% of all pirated installations of Screebl Pro.” The company concluded that of the nearly 6,000 pirated downloads, only 14 percent were from countries lacking access to the Android Market.
In July 2010, Google announced the Google Licensing Service, available via Android Market. Applications can include the new License Verification Library (LVL). “At run time, with the inclusion of a set of libraries provided by us, your application can query the Android Market licensing server to determine the license status of your users,” according to a blog post by Android engineer Eric Chu. “It returns information on whether your users are authorized to use the app based on stored sales records.”
It was a well-received start to securing applications, but there’s still a long way to go.
“Google is well aware of the issue and has released some feature (licensing validation), but they can easily be broken because basically, a hacker can obtain an application source code (i.e. reverse-engineering), something that cannot be done on the iPhone or Windows Mobile for instance,” says VidaOne’s Gareau.
Justin Case, at the Android Police Web site, dissected the LVL. “A minor patch to an application employing this official, Google-recommended protection system will render it completely worthless,” he concluded.
In response, Google has promised continued improvements and outlined a multipronged strategy around the new licensing service to make piracy much harder. “A determined attacker who’s willing to disassemble and reassemble code can eventually hack around the service,” acknowledged Android engineer Trevor Johns in a recent blog post.
But developers can make their work much harder by combining a cluster of techniques, he counsels: obfuscating code, modifying the licensing library to protect against common cracking techniques, designing the app to be tamper-resistant, and offloading license validation to a trusted server.
Gareau isn’t quite as convinced of the benefits of code obfuscation, though he does make use of it. He’s taken several other steps to protect his software work. One is providing a free trial version, which allows only a limited amount of data but is otherwise fully-featured. The idea: Let customers prove that the app will do everything they want, and they may be more willing to pay for it. He also provides a way to detect whether the app has been tampered with, for example, by removing the licensing checks. If yes, the app can be structured to stop working or behave erratically.
Other steps: implement the Google Java licensing scheme for apps sold on Android Market, so that people who requested and received a refund on a purchased app cannot still use the code; and using an alternative resale channel, such as www.handango.com, in locations where Android Market is not yet available.
“This is not a silver bullet, but it goes a long way to help prevent piracy,” Gareau says.
[John Cox covers wireless networking and mobile computing for Network World.]