Way to Protect from Lucky Patcher/Play Licensing

Way to protect from Lucky Patcher / play licensing

The short answer is not really.

You can watch a google IO chat about some best practices for using licensing API's etc Google IO Anti Pirate

I know there is another talk about general patterns to thwart lazy pirates as well but can't seem to find the URL.

In general if your protection is dependent on if/then logic all someone has to do is patch the code and invert that logic or bypass it all together which is pretty easy in Java.

You can make it harder by obfuscating where you are doing this, doing it in many places, doing it randomly, and adding pro-guard obfuscation etc. to dissuade casual hackers.

Even server side logic is simple to bypass unless the return package is used in some way (like an encryption token that is synced with the user or phone information to unlock content, or a user id verification scheme that is required to access online community content etc.)

In the end if someone is determined and has skills they can get around all of it and unless you are losing serious revenue it's hardly worth losing sleep over in my opinion, which is a problem we ALL need to have!

After doing this for 20 years (commercial development) my approach is to make it difficult by using the above patterns, and change it occasionally. That weeds out the lazy pirates.

Then forget about it and concentrate on making an application that is worth stealing by the pro-pirates.

MY APPROACH

My app's are mostly content driven.

In general if someone buys content it gets encrypted using tokens server side and un-encrypted using the same (which are not stored but generated each session using device and user tokens, which only makes it a bit harder to spoof honestly)

I can then track access by user/device pairings. The downside for the hacker is that they have to pay once, and if their tokens are suddenly getting used beyond reasonable limits it alerts me to the fact, and I can turn off that account if I want to ( and I have )

I have found that socially people are far less likely to let someone use information to cheat if it's associated with them (though it has happened) and it will come back on them.

I still follow all of the advice from IO/Dev Blog etc. and if I detect tampering then I inform the user and then let it go for N period of time so they can contact me or self correct.

I also never kill an app, but I do tell the user they are using malware, and ask them if they really trust the person that stole it with their data etc. those kind of pop up's have bit'd messages so simple string searches won't work etc. and throw a scare into people

I also have a way to send a poison token set to the device that will in essence lock out any data they have accumulated with the device unless I unlock it BUT you better be really sure they are thieves before you go nuclear on them.

Also don't discount analytic's as a way to detect, and determine the proper action to take when a pirated copy is detected.

Follow the guidelines the blog post and IO mentioned, then be creative in applying them, and mixing a some what unique solution, then change it every so often to give the pirates fits.

Lucky patcher, how can I protect from it?

Code to check your certificate:

public void checkSignature(final Context context) {
    try {
        Signature[] signatures = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures;

        if (signatures[0].toCharsString() != <YOUR CERTIFICATE STRING GOES HERE>) {
            // Kill the process without warning. If someone changed the certificate
            // is better not to give a hint about why the app stopped working
            android.os.Process.killProcess(android.os.Process.myPid());
        }
    } 
    catch (NameNotFoundException ex) {
        // Must never fail, so if it does, means someone played with the apk, so kill the process
        android.os.Process.killProcess(android.os.Process.myPid());
    }
}

Next how to find which one is your certificate. You must produce an APK, in release mode, as the debug certificate is different from the release one. Output your certificate into your Logcat:

signatures[0].toCharsString();

Remember that when you are back to debug mode, the certificate is different again. To avoid debug issues use next line to skip the verification:

if ((context.getApplicationContext().getApplicationInfo().flags &= ApplicationInfo.FLAG_DEBUGGABLE) != 0)
    return;

Next the lucky patcher checker.
I decompiled all versions of Lucky Patcher, and I've found that its creator used 2 package names between all realeases. So you only need to keep track of new versions and keep adding future package names.

private boolean checkLuckyPatcher() {
    if (packageExists("com.dimonvideo.luckypatcher"))
        return true;

    if (packageExists("com.chelpus.lackypatch"))
        return true;

    if (packageExists("com.android.vending.billing.InAppBillingService.LACK"))
        return true;

    return false;
}

private boolean packageExists(final String packageName) {
    try {
         ApplicationInfo info = this.getPackageManager().getApplicationInfo(packageName, 0);

        if (info == null) {
            // No need really to test for null, if the package does not
            // exist it will really rise an exception. but in case Google
            // changes the API in the future lets be safe and test it
            return false;
        }

        return true;
    }
    catch (Exception ex) {
        // If we get here only means the Package does not exist
    }

    return false;
}

Android anti piracy stop patchers

There are plenty of automatic tools to remove google play licensing from apps. As well as tricks to protect from patching software.

Here is for example a patcher http://luckypatcher.net/ and discussion on how to protect from it Way to protect from Lucky Patcher / play licensing

Consider those options to protect your app:

Make licensing verification code uncommon. Read those guidelines from google engineer http://android-developers.blogspot.com/2010/09/securing-android-lvl-applications.html
Move your paid features and licensing checks to native code and possibly protect it with Tamper Protection tools.
Make the paid features an online content and verify license on the web.

Way to Protect from Lucky Patcher/Play Licensing