Application security

Application security, piracy and prevention all are hot topics recently, with good reason.  Without a robust application marketplace, that hundreds of thousands of new activations each month number isn't going to be maintainable, and a robust market isn't possible without the backing of developers.  We've seen that Android has a built-in solution to prevent piracy, and we've also seen just how easy it is to get around it if you're determined, and if the scheme is left in its basic form.  Google hinted that they had some more information to share about the whole subject, and true to their word they have done so.  After the break, let's have a look at a Googler's methods to provide safe, secure, and user friendly way to protect applications.  [Android Developers Blog]

The Android Market Licensing Service and the License Verification Library are powerful tools for developers to try to circumvent application piracy.  The problem, as was demoed recently, is that out of the box it isn't very hard to bypass.  Since people are people, and many will spend more time than it's worth to crack a 99-cent application from the Market, Trevor Johns (one of Android's Dev. Program Engineers) has laid out a handy set of tips to strengthen the supplied tools, and make the anti-piracy measures work better.

The four key areas are:

Code Obfuscation

Code obfuscation is a trick used by developers that changes the source code, making known functions, packages, classes and variables very hard to track down by providing an alias to each.  Take this imaginary function for example -- onRedraw().  Each place you use the function in the source code, it's right there, easy to read and possibly exploit.  A code obfuscator will replace the human readable function with a generated alias -- wy23() is a good example.  A quick glance (or an automated tool) looking for functions isn't going to work, as it takes some serious digging to see exactly what wy23() really means.  There are commercial Java code obfyousk8tors (ha!) available, and Trevor recommends ProGuard, and plans a future article on the Android Developers Blog about working with ProGuard.

Modifying the License Library

Google recommends that developers change the source of the supplied license libraries as much as possible while still retaining the original function.  This is one case where the path taken is unimportant, as long as the destination is reached.  Developers can bury function in if/then statements, loops, even mve the entire library into their own code block.

To go a step further, developers are encouraged to used hash checks and other encryption methods to generate new constants, and change the code to look for the new constants instead of using the ones provided by Google in the example code.  Be sure to hit the source link to see a great example right from Google showing how this can be done.  And don;t forget to obfuscate the code here either!

Make your application tamper resistant

This one's simple.  For a hacker thief to remove the licensing from your application, he or she has to reverse engineer and rebuild the application.  Use CRC checks to prevent this.  Google has another handy tool for this area too -- verify that the Android Market was the installation source of your application, and if not, don;t let it run.  Again, there's a nifty example of this at the source link.

Move the license verification to a remote server

If your application uses online components, Google recommends that you move the LVL information and response out of the app and on to your server.  When the user uses the app, your server checks with Google, and if everything isn't kosher, no content is served.  While simple, it's also very effective as to get around this, someone would have to change not only the application, but content on your server as well.  Remember, local data is never safe, but a properly maintained and secured server is a pretty tough nut to crack. 

Lastly, Google remembers us -- the end users, and recommends that these tricks be used in a way that's transparent and user friendly.  If you're an application developer interested in the integrity and piracy prevention of your app (and you should be!) be sure to check out the source link.  It gets all geeky and fuzzy and lays it all out for you.  For the rest of us, this is more of a reminder about how Goggle loves it's dev's, and we can feel good knowing that big G is doing what it can to help.

 

Reader comments

Securing your applications the right way -- the Google how-to

2 Comments

I just hope this helps developers make apps that don't have to ping a server every time they open so that paid apps can run without data connections.