Remember the recently discovered and detailed exploit that found a way around Google’s new and supposedly improved security measures for installing pirated apps? While the initial announcement of a licensing server that would authenticate an app upon launch seemed like a step in the right direction, the recent news of how easily it was broken made some uneasy. Now the Android Developer team is firing back, giving reason to believe the licensing service isn’t as bad as it seems.
At the heart of the defense is the fact that an Android developer is able to make the licensing process unique to each application based on a template provided by Google. While the default template will work, it is by no means the most secure version. Google admits that the sample released was designed to be transparent and allow for developers to bounce new ideas off of at the risk of lower security. Developers using the sample provided as-is are not getting the most out of secure authentication.
You can read more of the points made over at the original blog post (source link below) that promises Google is doing its best to keep up with security needs and will continue to develop new methods and improve old ones to provide the most secure environment possible for developers to release software.
[via Android Developers Blog]
I’m the developer of SystemPanel and WebSharing.
Let me just say that I think spending resources fighting piracy is lunacy, and that those resources should instead be directed toward improving the Android market experience, creating alternative payment options, and expanding the availability of the Android market into additional countries.
I have no interest in strong-arming idiots who are unwilling to pay $3 for an app to go with their $100/month cell phone contract. And I can’t exactly hold a grudge against residents of countries who have been informed that they just aren’t important enough to even be allowed to purchase our apps.
I do not understand why anyone is surprised that APK modification is being performed to work around LVL. Such has been the nature of application copy-protection attacks since their origin.
Though I would prefer to be wrong, I believe there will be an inevitable wave of malware that may mitigate this problem. I base this belief on the fact that pirated apps will be an effective transport for such malware, and there is obvious revenue potential for authoring it.
The biggest threat from piracy is in attempting to lock down the platform to prevent it. Piracy will still occur, but the legitimate users and the platform itself will lose capabilities as a result. The previous “forward locking” copy protection mechanism is an example of this, given that it relies on users not having control over devices they own in order for it to operate correctly.
@tliebeck – These are all great points… as a developer, I think Google’s number one priority needs to be to open up the paid market to all countries – that is what is fueling piracy more than anything right now.
I also strongly agree with you that it will not be too long before some shady developers will start injecting malware into pirated .apk’s and deploying them on the pirate sites. It will deter the smarter users from pirating once this happens, but just like the internet there are more idiots everyday getting smart phones. Unfortunately, there will be huge stories about how insecure Android is and that there will be a big “virus” scare. What’s the over/under on this happening in the next 6 months?
@tliebeck – also, I am a big fan of both your apps. That is some excellent work!
@tliebeck: I absolutely love SystemPanel (was one of the first apps I bought and installed on my phone). VERY well said. You were already a highly respected developer and your response just gained you even more respect!
I agree completely with what you said.