If we’re hearing any one thing from developers that is scaring’em away from Android, it’s that Android apps are just way, way too easy to pirate. Hell, you don’t even have to go through shady third party download sites; just buy an app, copy it to the sd card, and refund the application. Ta-da! (Read: Don’t do that.)
Google’s been talking for some time about a new, considerably more secure system for protecting applications from pirates and dishonest refunders. Today, that system goes live.
The new system seems pretty painless. One thing to note, however: it requires a bit of modification to each application, so apps already on the market won’t be protected until their developers choose to update them. Developers include a set of code libraries provided by Google, and then use those libraries to send a message to the Android Market app requesting the user’s licensing status. The Market then checks through its own database to see if a user really did buy the app, and then sends a message back to the app with all the details.
The whole system is free for developers to implement, and will work properly on any Android handset running Android Market 1.5 or later (read: just about all of them.)
The idea of server-based authentication is by no means a new one, and, like pretty much any anti-piracy method, it tends to be surmountable if the right hackers decide to take a stab at it. With that said, it’s a whole lot better than nothing (at least from a wary publisher’s standpoint.)
You can get the full nitty-gritty at the Android Dev Blog — or if you’re a developer, you can start looking into licensing your applications here.
I know I brought this up before, but this seems a lot like WGA and also Microsoft’s old “PlaysForSure” DRM platform.
Hopefully it doesn’t infringe on any patents because Microsoft lost a patent case because WGA infringed on UniLoc’s patents, costing $380M..
Correction…the Uniloc ruling against Microsoft was overturned.
It still doesn’t stop piracy. Once the app is backed up with something like Astro you still have it. It won’t update if it’s a paid app but you’ve got the app and your refund. Developers need to make it so that the app can’t be backed up. Skype, Jewel Lust and a few already do this.
Of course it won’t stop it, but once piracy goes from “trivialy easy” to “slightly difficult” it takes out most of the casual pirates. Also, locking out the really hardcore pirates usually introduces some sort of burden on legit customers.
The app can check the license at any time, at start-up sounds the most likely, and do anything it likes.
So if you back your app up and don’t then have a license from the app store to run the app, it can stop at any time it wants to.
This could make for issues in areas with weak network connections, where the app can’t validate it’s self because it can’t talk to the server however.
That’s what I don’t like about this method. It’s a good step for piracy prevention, but what if I take my phone offline, airplane mode, am in a dead zone/elevator, or any other reason. This just produces one more bottleneck to getting the app running as fast as possible… :/
What if the user isn’t connected to the internet?
It’ll probably go for a “better safe than sorry” approach and assume your version is legit until you have internet connection again and then check to make sure.
Seems like the sensible thing to do.
The *slight* downside is that updating your phone right now kicks off “copy protected” apps from the visibility of your market. This is very likely due to the new mechanism but not acceptable. I have apps I paid for which I now cannot access anymore.
Google, fix that!
My favorite part about this story is the police droid
Yeah, good luck with this. Isn’t “open” wonderful! LOL
The OS is open source. The apps that run inside the OS aren’t. When they don’t give the app away or decide on an advertising supported model, app developers should be paid for their work.
what collin said lol the police droid looks awsome
whats this going to do to battery life?!?
what if i’ve got 50 apps installed (not an unreasonable number for android users).
how often does this happen, and how expensive is it to make 50 web service calls over the data network…???
i’m not saying they shouldn’t implement some sort of anti-piracy, but this just seems like a bad… BAD idea.
That’s not how it works – the licensing library requests the status for a single app when the app wants it to (not 50 at once, and not at any given time). My guess is that most apps will do it at start-up, but technically the application could request a license check whenever it wants. Most Android applications use data in some form anyway, so I doubt there will be a significant impact on battery life.
On the other hand, this will be trivial to crack – chances are, someone could even write a fake Market service that will answer “licensed” for every request, rendering the security moot.
But it prevents the kind of casual piracy that’s been going on with Android apps so far – which can only be a plus for developers. And it gives Google parity with Apple in having a lame copy protection scheme, which is probably what they were going for anyway.
If a dev uses the default settings then the app will probably be checking the license about once a week so really there is unlikely to be a significant problem in that department.
The dev has the choice of how to handle the case where the device is offline. Personally, I’ll give total access until the app first goes online and do the check then. However, the default requires the user to be online when they first update/install the app so that’s probably what most apps will do.
The system uses an RSA key pair so it won’t be possible to write a fake Market service.
The only way to crack an app using this system would be to decompile it and rip out the license checking code. I’m sure that will happen with the really popular apps but will be too much effort for most of the others.
So, whats stopping people from continuing their use of currently pirated apps? Granted yeah after a while there will be some major updates they may want, but they’ll still get the main functions of what they have now.
Also, and this is a major one, there’s a few thing one could do to block the information relay, be it blocking traffic to certain ip’s and/or editing the actual code in the application – both not to hard to achieve :/
Editing code in the application is not something an average user can do so at least it stops the average user from just copying the app to other users’ devices.
Most good apps are constantly evolving, going through many iterations over the course of a few months. So even if someone decompiles an app and rips out the license check, its soon going to trail a long way behind the latest version. If the app updates are good, people will care enough to buy it. If not so good, then they’ll be happy with the old version.
Gosh, this seems terribly naïve to me. If I “Buy” an app but some confusion at the store server, or a lousy network connection or a data glitch slows me down or keeps me from using it, how happy will I be?
Developers have to be conscious that they have taken legitimate customer’s money and not put impediments into their paths. I don’t understand why Google is proposing such a problem-prone solution.
To avoid continuous validation of the license by contacting the server, the app can create a digital signature of IMEI, App install time (if possible).. then once a week or whenever it starts up it can only verify the signature… once a month or there is a good network etc verify with lic server (just in case digital signature key is compromised) and when the signature is wrong coz the user changed phone it can connect to the license server to re calculate the stuff… I think now its all in the app developers hand…
Google released their anti-piracy efforts for Android platform last week. But there was already an option for iPhone or iPad developers from a new cambridge startup sometime ago. Recently, there is an article about them at
http://bostinnovation.com/2010/07/28/fighting-piracy-on-apple-devices-local-startup-mtiks-ensures-developers-get-paid/
This is why I went android? So Google could treat me like a thief? What other information will app developers be able to send out?
Ok, android owners, our mighty lord and master Google decides you must all report your apps, now – turn around and bend over will ya!
Vn
To avoid continuous validation of the license by contacting the server, the app can create a digital signature of IMEI, App install time (if possible).. then once a week or whenever it starts up it can only verify the signature… once a month or there is a good network etc verify with lic server (just in case digital signature key is compromised) and when the signature is wrong coz the user changed phone it can connect to the license server to re calculate the stuff… I think now its all in the app developers hand…
Any Digital Restrictions Management system like this one, where the software must report to some server that a user has no idea about, is painful. The whole concept of “protecting” software in these ridiculous ways is so painful that it doesn’t matter if the user experience is painless.
Yeah, I get it. IF I want to “try out” an app I have to install something like Little Snitch to block the call home feature.
Unless the app developer is more aggressive, and PO’s users with lousy internet connections. And the “no price is low enough” crowd has to create man-in-the-middle or fake servers so that any potentially popular warez see cracked IMEIs, or whatever.
The assertion that “just a wee bit of a challenge” is enough to protect developers’ interests seems pretty laughable when you look at the Adobe tools marketplace. Real $$$ at stake on a small number of titles.
Let’s be honest here: Google has had the Marketplace for 3 years and still has a half-assed attitude towards paid apps. They’re still pushing “open,” but just wait and they’ll come up with some other way that they’re hyper-superior to Apple
This is REALLY nice. As a developer I appreciate the flexibility of this. I can check licensing without accessing the internet directly or personal information (it is handled through the Market app which only returns license info).
It’s up to the developer to make sure the user never notices it. For example, you would typically allow the user to access the app for a period of time without internet access so they are not inconvenienced by a bad internet connection.
Those complaining are pretty clueless. They must be mad that they will have to pay for the best apps. Really, this benefits almost everyone because now developers will actually get paid for their work and will be more likely to produce many high quality apps since they can justify the investment.
This is a huge step forward, but you won’t really notice it. In a year there will be 1000s of great new paid apps that otherwise would have only been on iPhones.
“Google’s Android Market License Verification Easily Circumvented, Will Not Stop Pirates” sez Android Police.
So you’re smarter than the crackers, huh. And anybody who doesn’t just like to spew happytalk, why you just baldly call them clueless. Pretty lousy debating approach.
It’s pretty hard to see why Google is promoting such a simplistic security function if they actually care about developers’ security. With all their IQ points, you’d think they could do something a smidge less naïve if they cared.