How to Secure My App Against Piracy

How to secure my app against piracy

I released a free anti-malware app for Android, and making sure nobody hacked it was essential to its success. The biggest threats agains an app on the Android Market include leaked source code, copied/distributed paid apps, and re-keying. I explain each below and way to solve them.

Firstly, this paper describes how to reverse-engineer an Android application by unpacking the compiled code and viewing the source code. You will not be able to block this from happening to your app. Period. Someone with a will can always view your sourcecode if they get a copy of your apk (easily available on a rooted phone). The good news is that you can obfuscate the important pieces of your code making it harder to reverse engineer. Proguard is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. In order to prevent your important code from being read, however, you will need to move all vulnerable methods or variables to a file that is not an Activity, Service, or BroadcastReceiver. For full facts, read the documentation.

To protect agains illegally copy and distribution of your application, Google Play provides some licensing options. Unfortunately, LVL is also not entirely secure. A detailed HOW-TO for how to crack it (pre-Google Play) is available here.

Lastly, the paper linked above, as well as numerous scholarly articles and online blogs describe how, once the source code (or even obfuscated source code) is leaked, once can merely add some of their own, malicious code, resign the app, and publish it on the Android Market. The good news here is that, unless your android license key password is easily guessable, or if you give it out to someone else, the attacker will not be able to publish an application with the same license key. This not only protects you from blame, but it will also make it so that malicious application cannot access data available through your original application (such as SharedPreferences).

All in all, the best way to really secure your application from piracy is to correctly configure and use Proguard, Google Play Licensure, and to sign you final apk with a very secure license key.

How to protect my application against piracy

As any license enforcement solution can be cracked with a bit of effort, I suggest you don't try to implement copy-protection at all. License management is just inconvenient for your users.

If you are determined to implement copy-protection, you can use an open-source library.

Additionally, you should obfuscate your byte code to make it slightly more difficult to reverse-engineer your application.

Protect android application from piracy

The answer I'm about to give is not the answer you want to hear, but please read through, as I will justify this answer and give you an alternative model you might be able to use in your application.

In general, you should not look for a single method that will be absolutely successful in protecting your application from being pirated. A determined pirate will, at some point, be able to remove the protection, and distribute the modified application if there's enough interest in it.

Even relatively closed devices like the Apple iPhone have piracy problems with jail broken devices, and a determined attacker will, at some point, be able to open your app. I give you as a further example of the difficulty of protecting software: Microsoft Windows. If Microsoft and Apple, with all of their resources and expertise are unable to solve this problem in an effective manner, do you really think you'll be able to?

Instead, I would encourage you to program your app in such a way that you're using software features that rely on servers you control. That way, you're holding the keys to the kingdom. When people make a purchase, ask them for a login/password that ties them to the server.

For example, if you're programming a game, make a good portion of the game community features based, where you interact with other players through servers which you, as the developer/distributor, control.

A slight modification of this model allows the customer to access the application for free, but with a limited amount of functionality, then gain full functionality when they purchase. In that light, piracy ceases to be a problem, and indeed, even the motivation to pirate your app vanishes. In the end, a service based model like this is probably a better solution than relying on some technically wizardry in a vain attempt to protect your app from prying eyes.

How do you protect your software from illegal distribution?

There are many, many, many protections available. The key is:

• Assessing your target audience, and what they're willing to put up with
• Understanding your audience's desire to play with no pay
• Assessing the amount someone is willing to put forth to break your protection
• Applying just enough protection to prevent most people from avoiding payment, while not annoying those that use your software.

Nothing is unbreakable, so it's more important to gauge these things and pick a good protection than to simply slap on the best (worst) protection you are able to afford.

• Simple registration codes (verified online once).
• Simple registration with revokable keys, verified online frequently.
• Encrypted key holds portion of program algorithm (can't just skip over the check - it has to be run for the program to work)
• Hardware key (public/private key cryptography)
• Hardware key (includes portion of program algorithm that runs on the key)
• Web service runs critical code (hackers never get to see it)

And variations of the above.

Piracy, piracy, piracy. What can I do?

Ultimately the built in protection of apps in Android is very poor. Here are your best practices.

1) Yes Google's recommendation to use code obfuscation, signed coded, and their license verification server is designed to prevent software theft. Their implementation however is highly flawed. The only requirement that an APK has to run is that it be signed. It doesn't matter who signed it though. There are no checks that your signature is the one it's signed with. So to crack it you just remove the license check and re-sign with whatever cert you want. Then a user can load it on their phone with "allow non market apps" checked.

Don't use Google licensing as is. Modify the code heavily. Add some new parameters to use when generating the keys. Move the code around / re-architect it. Don't include the Google licensing library as a library project. Put it directly in your code. Make the code as spindly and kludgy as possible. Add functions that do nothing, but modify the values on the fly. Make other functions later that convert them back. Spread license verification throughout your entire code base.

If you don't do those steps then the code can be cracked automatically. By doing those steps at least the cracker needs to take the time to hand crack it. That would probably only take a few hours at most. But a few hours is much much more time than instantly cracking the standard Google licensing layer. There are cracker tools that will actually just auto-download newly released android packages and, if they use the standard android licensing, crack them and upload the cracked APKs to these types of web sites. By making your implementation not the vanilla implementation you make things much harder, with only a few hours effort on your end.

2) This is a common anti-crack technique. You can do this on Android if you want. But it can be cracked in about 5 minutes. If you Google there are tutorials on how to crack this specific technique. Basically you just look for the CRC call in the code and remove the check after the CRC comes back.

Android has no inherent security. You can root any phone and download the APK. You can easily hack an APK to enable debugging and simply step the code to see any keys you have stored in the code. So in the end I wouldn't spend too much time on this. It's impossible to secure an Android App. I would just do the common sense stuff in the list above and move on.

3) If you're really paranoid you can implement your own licensing on your own licensing server. This is the approach I took, but not as much for protecting the app for theft, as it was to give me a mechanism to sell apps directly from my website so users that don't have Google Play could still purchase my apps.

How to prevent application thievery (specific to Android applications)?

Now there is the new Google App Licensing available. For deeper information read about it in the android developer blog.

A short summary: Google provides a library that makes a inter process call to the market client on the phone. The market client will then ask the google servers if the signed in user has purchased the app and forward this answer to you. There should be a public key in you developer profile that you need to encrypt the connection to the google server to prevent spoofing of answers. You also provide a application and device unique id with the query to make it impossible to forward approved queries to another device and build something like an licensing proxy with one bought copy forwarding the IS LICENSED answers to other devices.

At the moment this service looks secure enough to protect even the more valuable apps in the market. I will give it a try and maybe come back and leave some more informations after I used it a little bit.

If your app is really popular like an EA game or something this wan't stop users from hacking it. To hack the app somebody has to buy it, then unzip the apk, and edit the bytecode of your app to think that the market send a correct answer. The new byte code can be packed into another apk and can be installed on every phone that allows side loading.
To make this harder you can always try to obfuscate your apk and make your bytecode hard to understand.

---

Related Topics