NewsOpinion

Stolen Beta Apps: How Google And Developers Should Prevent Them

19

One thing that separates good developers from great developers is communication with their community. One great way to reward loyal users and simultaneously improve your product is by offering beta APKs for download and feedback. Unfortunately, some well-being developers are being ripped off as a result.

Earlier this month we saw the developer of Iron Soldiers have his beta game stolen and uploaded to the market. That’s right: someone just took the beta APK, signed it with their own info, and uploaded it directly to Android Market.

That’s despicable. Months of hard work compromised in a matter of minutes. Isn’t there a way to stop this? Not at the moment, but I’ve got two suggestions for Google and one for developers:

Unpublishable Package Names

Every single Android Application or Game has something called a “package name”. It’s a unique set of characters that identifies an app. Because Android Market identifies apps and games as package names, you could even easily change the title of your app in an update.

For example, the package name for Google Maps can be found at its AndroidApplications.com page: scroll to the bottom left and you’ll see it (com.google.android.apps.maps).

Unsigned APKs can be easily jacked by rogue developers, they just have to sign it themselves and upload to their market account. But what if the real developer ALREADY signs it? You’ve still got the same problem with a few key details:

  • If the beta app has never been launched on Android Market, Google will have no record of it, so the first person to upload it to Android Market with that package name will get “credit” for launching with that package name.
  • Once the app is stolen and published to market, the thief won’t be able to update the app because they won’t be able to sign it with the proper password. Plus the REAL developer will be using a new package name. But at this point, the damage has been done.

After a developer has already launched their app or game on the market, the risk goes down dramatically: as long as they’ve signed the app and give it the same package name, nobody can steal it and publish to market themselves because Google will identify that this package name is already owned.

But now you’ve got a new problem. If you’ve got loyal users they’ll likely want BOTH apps installed: the real one and the beta. The beta will overwrite the official release UNLESS you’ve got different package names. So… someone could continually take the differently named beta and launch on Android Market as their own, unless developers are launching Beta’s on Android Market and password protecting them. Which, come to think of it, isn’t a bad idea.

So after this incredibly long explanation, this is one incredibly easy way Google could prevent rogue developers from stealing signed beta apps and publishing to market as their own: unpublishable package names. Choose a special “safe word” such as “unpubbed” or “beta” or “private” and if the package name begins with that chosen word, Google will disallow upload of the app or game to Android Market. Easy peasy.

Reserved Package Names

Perhaps an even easier option would be to allow developers to log into their accounts and set package names that they’d like to use in the future. So for example, I could notify Google I’ve got this new app I’m working on and the package name is “meaningoflife.phandroid.sweetness.com”. They would then tie this package name to my developer account so nobody else could upload an app with that package name… so my unpublished beta with package name “meaningoflife.phandroid.sweetness.com” would be useless to any hopeful thief.

Hey Developers, Protect Yourself!

If you’ve already paid for a developer account, it costs you nothing to publish an app or game. Why not title your app “Private Beta: App Name”, choose a private beta package name, password protect your app so only those who you give the password to can test it out, publish to Android Market, and make sure every APK you share has that same package name?

Problem solved. Developers CAN protect themselves… but it wouldn’t hurt if Google put some measures into place to prevent the bad guys from doing idiotic things. Afterall, some people don’t want their apps or games to appear on market at ALL prior to launch.

So, developers… have long nights and cheetoh-stained fingers led you to any other revelations on how you, and fellow developers, can protect their hard work?

Rob Jackson
I'm an Android and Tech lover, but first and foremost I consider myself a creative thinker and entrepreneurial spirit with a passion for ideas of all sizes. I'm a sports lover who cheers for the Orange (College), Ravens (NFL), (Orioles), and Yankees (long story). I live in Baltimore and wear it on my sleeve, with an Under Armour logo. I also love traveling... where do you want to go?

Motorola: Locked Bootloaders Stay, You Can Go Elsewhere

Previous article

Verizon Marketing Plans Show Thunderbolt, XOOM Materials to be Sent Side by Side

Next article

You may also like

19 Comments

  1. Reserved Package Names: is already possible, generate a new project and put the package name, upload the apk but not publish.

  2. I hope google does not do your second suggestion. That could very well cause issues. Imagine I’m someone that paid $25 for a dev account. I can now reserve package names. Say, if the rumors are true, and rovio is developing angry pigs. As a “dev” I can reserve all those package names, and then rovio has to pick a new package name, or buy my rights to the package from me (say, I give up my claim for a moderate fee of $100, nothing compared to what angry pigs would make, but 4x the cost of my licence. There are ways around that, but then you get to a rather convoluted process.

  3. You know how version numbers work? I believe you could publish dummy apps (that don’t do anything) with the correct package names and low version numbers, this would effectively block others, and also not auto update since the version number is older.

  4. The games were not “stolen”, theft requires loss of something. These were just unauthorized copies. I don’t make unauthorized copies of apps, but I am not going call it stealing either.

  5. Another choice would be to piggy back on the domain name registration system and require a special code entered as a TXT entry or something like that in order to publish under the package name equivalent.

  6. @Eric – nobody would pay money for a package name. Who cares if someone steals/squats a package name? For the most part its meaningless beyond just having it be a unique string of words/characters. They could cap the number of reserved package names but I don’t think anyone would be dumb enough to squat on package names because it would be worthless.

    @ALok – what if your app/game isn’t yet on Android Market and you don’t want it to appear there at all? Even as a dummy app? What if it’s release is a secret, etc…?

  7. @Rob Jackson; If you don’t want it released, a really good idea is to not release it. If you post it on the internet, then find out it ended up being copied to other locations and are surprised about it you are a moron. If you actually want your app to just be a beta, have it connect to a website you own and see if some magic file is there. If the file is removed the game just closes with a nice message “Beta is over”. Easy peasy. Sure people can get around it, but they can get around anything, deal with it and stop worrying about it.

  8. @Steve – I disagree with you on many levels. Just because you post something on the internet doesn’t mean you should expect anyone accessing the internet to have boundless ownership of it, and just because something is not physical and tangible does not mean it cannot be stolen. If I’m mistaken, perhaps you can convince the universe to stop calling to “Personal Identity Theft” and start calling it “Unauthorized Personal Identity Copying”.

  9. @Rob Jackson; No that is just fraud. See the banks call it that to make it your problem. In reality the bank just got defrauded, no different than if the conman used a totally fake name. If this unauthorized copying was stealing, then criminal theft charges could be pursued. Since they cannot it is not stealing. This is actually called copyright infringement, if you want to use big boy words. Also I never stated they would have boundless ownership, only that it is extremely naive to think anything placed on the internet will not end up being copied. Trying to stop the copying of bits is like trying to make water not wet.

  10. Steve: in this case it can be called stealing(publishing someone else’s app) because you’d take someone’s ability to publish his own app away.

  11. @thedicemaster; No, they can still publish it. There is no rule against two people selling the same app as far as I can tell. Also it still would not fall under any theft statute I am aware of.

  12. There’s actually a far better way to do this. Allow devs to register their namespace and only that account could upload a package in that namespace. For instance, phandroid would register com.phandroid.* and any package with that naming convention would be assumed to belong to phandroid. Then, if Microsoft was registered with the name com.microsoft.*, and tried to upload com.phandroid.foo as a package, Google would disallow it and notify the developer com.phandroid about the infraction. I know it sounds complex, but it would be very easy to do.

  13. @Steve – come on, man, enough with the semantics. Search for “intellectual property” and just admit that you’re making an argument for the sake of making an argument. It has no baring on the importance of the article.

    And, yes, you should be able to publish something on the web without having it stolen. The whole “Napster” thing – and the Internet in general – is very young in the grand scheme of technology. The unregulated nature doesn’t make it right to try and profit off someone else’s intellectual property. I’m simply stating a few ways Google can protect developers and one way developers should protect themselves. Honestly… I don’t even understand what there is to argue?

  14. Darwinism – cold, hard fear of me tracking you down & applying what comes next if you’re stupid enough to believe that you’re going to get away with it.

    Violence shouldn’t be banned, it has its appropriate place in this world.

  15. I also suggest to have a about box in your app with your developers name, a link your site/blog/twitter/forum thread, your email address and if your already on the market: a link to your publisher name on the market. It’s very simple and all your apps will be “signed”. Although it doesn’t prevent thieves of pirating your app, it is definitely a way to hard code that you are the owner. It also gives users a way to verify the authenticity of an app. All this will at least frustrate thieves.

    You can also consider to let the app check a Internet link when it is launched for the first time (for example a little text file on a server somewhere, or in your public folder in drop box) If your app is pirated you can delete the file and let your users know that they have to update. In the update you then can refer to another link that has to be checked…. (the procedure to do this is very, very easy to write in Android) If there are request I can publish this procedure somewhere.

  16. Forget the package names, it’s meaningless. As soon as you use that to key off of, there will be an easy tool for changing the package names of compiled code. Just forget about it!

    You have to use good ole fashion copy protection methods for your beta. That includes contacting trusted sites, expiration, obfuscation, and encryption.

    I have an app on the market that uses some low level hooks to do something for a very specific piece of hardware. I don’t want others downloading my app just to figure out how I did it, and then posting the same app. So I use a ton of reflection, encrypt those method, package, and field names, then I obfuscate the shit out of it. Sure, given enough time someone could figure it out. But at least I took some measures.

    Think Heinz posts their recipe on the Internet?

  17. @Rob Jackson; I will not. Intellectual Property is practically theft by its very existence. The ownership of ideas is the anathema of civilization.

  18. For my beta, I’m signing the app with a key that is only valid for a short period of time. Two benefits – if it gets passed around, it won’t work for very long, and the APK cannot be loaded to the Market because Google requires a key that is valid for something like 20 years.

  19. @Steve – Good to know your thoughts. I’ll try to make sure our company, which produces software, among other non-physical things like scientific research, never hires anyone named Steve. We would hate to have you spread our ideas for the good of civilization while we’re trying to recoup R&D costs.

Leave a reply

Your email address will not be published. Required fields are marked *

More in News