AppsNews

Google Introduces Licensing Service for Paid Android Applications

47

Provided you can locate an APK file outside of the Android Market, it really isn’t all that hard to install illegally obtained copies of paid apps onto your Android phone at no expense to yourself (unless you use an AT&T Android phone, har har har). Seeing the potential trouble this could cause for hard working developers hoping to turn a buck off the legitimate sale of their software, Google is introducing a new licensing service for apps purchased through the Android Market to make it harder to use pirated wares.

license

The new service works by querying a Google server at launch of an application to check purchase records and make sure the person using the app actually paid for it. The hope is that the new system will provide better protection from unauthorized use of applications than the current copy-protection methods in the market. The new system will become standard over the coming months. You can read more about it at the Android Developers Blog.

Kevin Krause
Pretty soon you'll know a lot about Kevin because his biography will actually be filled in!

Kyocera Zio Launching as First Android Phone for Cricket Next Month

Previous article

Droid X Gets a Taste of Android 2.2?

Next article

You may also like

47 Comments

  1. This is a great idea.

  2. I think it is a good move, but at the same time, paid apps should come to more countries. Come on Google !

  3. This sounds like a good idea, only problem I can see would be if you don’t have network access and cannot query the Google server.

  4. What if I want to use an app without an internet connection (airplane, remote car trip, etc)??? As long as there is room for some amount of ‘disconnected’ time, I’m good with the change.

  5. @Craig-agreed, first thing I thought of as well. Now apps only open if you have network access to a google managed server? What if you want to launch an app while camping and have no service? Of if you have ATT and you are in a metropolitan area and still dont have service, har har har.

    my name is Craig too, and we think a like…strange….

  6. Right. Because who doesn’t love DRM? I’m sure their authentication server will have 100% uptime.

  7. Hmmm… reading the official blog post it sounds like the implementation and subsequent app lockdown are left up to the developer.

    Not the best solution, but I guess it works.

  8. You can buy some apps anywhere through the SlideME app.

  9. To those of you who have asked about offline access: Developers can tell the licensing library to cache the license response for a period of time. (This is actually the default behavior.)

    — Trevor Johns
    Google Developer Programs, Android

  10. @Andy

    It will ask for permission only one time (during install i think), not every time !

  11. @Craig According to the developer site, there are two methods for implementing this: 1) the developer could require that the licensing server be pinged every time the app launches or 2) ping it once and then cache the response from the server. Also, in the developer docs, the airplane example is mentioned when talking about the cached way of doing things.

  12. @513: That’d be a nice idea!

  13. Great so now Google will collect and store detailed info on how many times you used which app and when. They do some of that with admob but usually those apps are free, with paid equivalents that have no ads.

    Now they want to track detailed usage of the apps that don’t use ads. I will definitely avoid paying for apps that use this scheme.

  14. The Android docs suggest local storage for times without connection. It is safe to assume that the device will be connected to the Internet when downloading/installing the application (legally).

    In true Android fashion, it is totally up to the developer when to check for the license, what actions to take, and whether it will be implemented at all.

    As a developer (Finer Mobile), I applaud Google’s response to this serious issue in the Android Market. This will solve most of the piracy issues, restoring confidence in the ecosystem.

  15. And what about us that do not have access to paid apps in the market???

  16. Not necessarily safe to assume I’ll be connected at install time… while I was on an airplane I wanted to watch an AVI file and I discovered my RockPlayer had expired, so I used Titanium Backup to reinstall a backup of yxplayer. If this had required online licensing I’d have been screwed.

  17. They better enable paid apps in other countries first. They’re sabotaging their own sales!! I don’t like to pirate software and I totally don’t understand why I can’t pay the developers money they deserve even though I really, REALLY want to. The only apps I could buy were those when I had a rooted phone and market enabler, now as I upgraded my phone I can’t purchase apps anymore and yes, when I really want an app I try to find a pirated apk.
    By the way, if I can use a simple app like MarketEnabler on a rooted phone to purchase apps, what’s so difficult about enabling them the official way?

  18. @Charles…maybe I’m misunderstanding but this seems to be tied to your purchase and not the actual install. I’m assuming that if you say backup and remove an app that you purchased and that takes advantage of this new API that when you restore it you will be authenticated and able to use it.

    To the guy complaining about them tracking your app usage give it a rest already. The whole big brother thing is about what they can do with the information….not simply the idea of capturing it. What are they going to do with knowing you opened an app 10 times a day other than serve you ads based on it. Oh how scary…..

  19. Can buy app in Canada but can’t sell apps in Canada!

  20. This is great news.

    BUT

    Why oh why Google won’t you bring paid apps to every country, especially scandinavia? I mean wth, srsly? I want to give YOU money for apps I want. Make it possible and I’ll be one happy android camper.

  21. This is a great idea. Now if google do something about the same person posting in the comment section about free paid app website. If your one ov them i mark you as spam all the time. Pay the developer what is right. Google needs to learn open is good but im against people screwing over the developer alot ov them give u a lite verison if you want more the pay.

  22. Charles, if it expired because it was a trial period and you reinstalled it to do the trial period again, that’s the piracy they’re trying to prevent… Unless you actually paid for the app and it said it expired, but I’m sure that’s not the case.

  23. This reminds me of xbox live. Like not being able to use certain things i bought unless im connected. I donno i just don’t want android to be all controlling of everything.

  24. lol @ #1 – this will fail and be worked around easily.

    #3 is correct – not all phones will have web access when an app is run.

    especially when people get a new phone and install tons of apps at once – they might use them later when there is no web access.

    it’ll also be easily circumvented via proxy = won’t stop anyone, but will piss off some people if it goes bad.

  25. Too bad Google didn’t release this about 9 months ago! It took us about 3 weeks to get our anti-piracy and validation schemes going between our server on our apps. We did overbuild the thing and give ourselves control to change the timeout, # runs, etc. all from the server side with defaults built into the .apk and set it up over 256bit encryption.

  26. The problem with Scandinavia is that google has some legal issues to deal with. Apparently, Google needs a physical support center in your country in order to deal with market related issues.

  27. “ServerManagedPolicy is a flexible Policy that uses settings provided by the licensing server to manage response caching and access to the application while the device is offline (such as when the user is on on an airplane). For most applications, the use of ServerManagedPolicy is highly recommended. “

  28. I guess the solution is for app developers to just work for free. They can just live in the cloud, off of air and water vapor. Of course if they can’t get paid at all, there are a million other things they can do with their time than listen to whiny users who just want everything for free.

  29. @Matt
    You can’t assume it can be “easily” circumvented via proxy. A good authentication scheme (and I like to give Google the benefit of the doubt here) would be encrypted and a fake server wouldn’t be able to reproduce the correct response since it has no idea what content is being passed through the secured connection.

    That being said, I do believe nothing is safe from would-be hackers who want to steal software. The more likely circumvention IMO would involve modifying the apk itself to bypass the authentication check altogether. Still, I applaud Google for trying to make it a little more difficult. :)

  30. If this scheme doesn’t work, devs won’t use it. They have to choose to use it.

  31. I would assume that a hack similar to the WGA validation hacks of yore would work here. By redirecting all of the authentication challenges to a central hack server or to a service running locally on the device which just return positives no matter what the challenge, you could, theoretically, enable all the apps. The hardest part, as Carmex alluded to, is the reverse engineering of the communication protocol and command structure. Still, what I think this serves to do is to at least limit the piracy to a smaller group of tinkerers who have a much higher skill set than the average Android user. This should curb piracy by a huge amount until, as it always happens, whatever hack tools that are created are packaged into a simple to use one click GUI solution. At which point, Google will probably introduce a new protection scheme furthering the game of cat and mouse.

  32. I see this as a PR to developers: This is not like your typical linux, we actually care about commercial developers and want you to make money.

  33. I like it. They are basically providing an easy way for developers to protect their products against pirating but it’s up to each individual developer to freely choose if and how they use it.

  34. @Matt, @Nikesh – Do you guys want to try to take a stab at breaking our antipiracy protection scheme running in some of our apps? Here are a few hints before you take it on. It is 256bit encrypted, does NOT return just a yea or nea, and the byte code translation between the Java and PHP interop is enough to add a fair amount of security through obscurity icing on the cake goodness. ;) Someone good enough to even do this has to ask themself, is it really worth all of the time just to enable the theft of a 99 cent app? What kind of glory are they really getting? hahaha

  35. I support this change, if it’s done right and the default cache time is something decent.

    This will stop the casual pirate, and that’s it’s goal. No DRM measure will truly stomp out piracy, just lower it if properly designed.

    This places some app control (who runs the paid version) back where it belongs, in the hands of the developer.

  36. Only problem is sometimes I get stuck at “authorizing purchase” on purchased apps and am forced to find the apk to get it. They should at least fix this problem first I hope. PSX4Droid for example was the last one that I tryed to buy and this happened. Had to get it else where. I was willing to pay for it though.

  37. I encourage this. I’m not a dev but this will make the more skilled devs more confident in developing quality apps for Android.

  38. I googled a pirated version of my app a few days after I released it, with the forum moderator giving a “good job” approval to the uploader. At first, I was pissed off, but a few seconds later I let it go. If a few people wanna steal my app, then fine. They don’t get automatic updates, and they weren’t gonna pay for it anyway. I don’t think I’ll be using this protection scheme, at least not for simple apps.

  39. Verifying at every single launch of the application is pointless, ridiculous, and a waste of bandwidth. The only time there should ever need to be any kind of verification is at the point at which the application is initially installed, or upgraded, or simply the first run of the application after those events. The bandwidth cap opponents will have a field day with apps that generate data traffic at every single launch, just for license verification.

  40. It may be silly for simple apps but if we want more game developers like gameloft and EA to come to Android, Google has to be there for them.

  41. The app should be digitally signed to the gmail account you use on the phone that way it would work whether or not you have network access…

    In other words – this isn’t a grate idea.

  42. Reduced piracy might help devs to make a buck from their apps motivating them to invest more time in app development and maintenance and we could see a proliferation of quality, maintained, apps, so I welcome the service.
    However much more than from this service I would see a positive impact on increasing app sales coming from making payed apps available in more countries.

    What I’d like to be sure is that with this service we are not introducing another point of failure for apps, ***I do not like the assumption that my phone will be almost always connected***, I’m very often abroad and data roaming is not a viable option in Europe. The license cache needs to be very tolerant on offline period and I hope that devs will realize this when setting their caching time limits.

    For example if I pay for a navigation app I want to be sure that it won’t happen that some license cache expires at the end of my holiday when I’m supposed to drive back 1200 KM across 6 countries.

  43. Any DRM is bad in my opinion. I feel like I own an iphone now. Leaves so many questions.

    How does this effect SD card apps?

    What about people who can’t purchase in some countries? As I have friends in countries who can’t get Root Explorer the legal way. So now if the rom they can’t change anything?

    What keeps someone from just flat out stealing the code for your app and making their own without the DRM feature and making their own app not found in the market?

    What happens when I have no service?

    What about my data charges?

    Can I still modify apps? Like change the icon and repack it?

    The list goes on, etc…

    I feel for developers but the net has shown that piracy it not something that can be stopped and I feel it never will.

    I tell you now. The first time I get a hiccup, with any app due to this, I delete it and never use it again. will also go to every site that has it listed and give it a bad review.

    I WILL not sacrifice freedom for security!

  44. You guys seem to be forgetting you simply can’t start selling apps in every country in the world. There tons of national/international, import laws, etc. It’s simply not that simple as flipping a switch and saying “here you go world, download away”. Apple has the same issue with apps being nationally exclusive.

    @Frank:
    While I get your point, a navigation app is a poor example as they all use remote servers to download maps and even do the route calculations. They are completely useless without a data connection. If that’s a concern you need a more traditional GPS device (garmin/tomtom) that uses local storage for maps.

  45. @G11:
    Nope, “they all use remote servers” is not correct, for example:

    Copilot offers full offline navigation (you just won’t get the “Live services”), the maps are downloaded once (is done manually from the Copilot interface) and then stay on the SD, when you are connected you can choose to update them.

    Same goes for NDrive and for NavDroyd although I still did not test those two.

    I do not see a technical reason why full offline nav should not be available on a smartphone, Tomtom was offering a full fledged nav app for the early Symbian phones S60 ~5 years ago, so the HW requirements are fully met. Of course online integrated services add a convenient layer of niceness but I want navigation to work even when I have no connection at all.

    Outside the Android world offline navigation exists, among others is offered by Nokia with the Ovi Maps app and it works nicely.

    Regarding the paid apps support I suppose indeed the different legal systems make it a nightmare, yet I believe that the Apple appstore and the Ovi one support more country than currently Android does.

  46. @43. concerned:

    “I tell you now. The first time I get a hiccup, with any app due to this, I delete it and never use it again. will also go to every site that has it listed and give it a bad review.”

    Childish.

  47. Not great for a paid up user. One of my paid apps (which I’ve been using 4 months) invoked Google License Check today and failed repeatedly (with Internet access). App wouldn’t start, I couldn’t get at my data. Un-installed app, will never buy from this dev again and will be much more cautious about entrusting any important data to any other Google Android apps in case they retrospectively decide not to work. YMMV.

Leave a reply

Your email address will not be published. Required fields are marked *

More in Apps