Stolen Beta Apps: How Google And Developers Should Prevent Them
Earlier this month we saw the developer of Iron Soldiers have his beta game stolen and uploaded to the market. That’s right: someone just took the beta APK, signed it with their own info, and uploaded it directly to Android Market.
That’s despicable. Months of hard work compromised in a matter of minutes. Isn’t there a way to stop this? Not at the moment, but I’ve got two suggestions for Google and one for developers:
Unpublishable Package Names
Every single Android Application or Game has something called a “package name”. It’s a unique set of characters that identifies an app. Because Android Market identifies apps and games as package names, you could even easily change the title of your app in an update.
For example, the package name for Google Maps can be found at its AndroidApplications.com page: scroll to the bottom left and you’ll see it (com.google.android.apps.maps).
- If the beta app has never been launched on Android Market, Google will have no record of it, so the first person to upload it to Android Market with that package name will get “credit” for launching with that package name.
- Once the app is stolen and published to market, the thief won’t be able to update the app because they won’t be able to sign it with the proper password. Plus the REAL developer will be using a new package name. But at this point, the damage has been done.
After a developer has already launched their app or game on the market, the risk goes down dramatically: as long as they’ve signed the app and give it the same package name, nobody can steal it and publish to market themselves because Google will identify that this package name is already owned.
But now you’ve got a new problem. If you’ve got loyal users they’ll likely want BOTH apps installed: the real one and the beta. The beta will overwrite the official release UNLESS you’ve got different package names. So… someone could continually take the differently named beta and launch on Android Market as their own, unless developers are launching Beta’s on Android Market and password protecting them. Which, come to think of it, isn’t a bad idea.
So after this incredibly long explanation, this is one incredibly easy way Google could prevent rogue developers from stealing signed beta apps and publishing to market as their own: unpublishable package names. Choose a special “safe word” such as “unpubbed” or “beta” or “private” and if the package name begins with that chosen word, Google will disallow upload of the app or game to Android Market. Easy peasy.
Reserved Package Names
Perhaps an even easier option would be to allow developers to log into their accounts and set package names that they’d like to use in the future. So for example, I could notify Google I’ve got this new app I’m working on and the package name is “meaningoflife.phandroid.sweetness.com”. They would then tie this package name to my developer account so nobody else could upload an app with that package name… so my unpublished beta with package name “meaningoflife.phandroid.sweetness.com” would be useless to any hopeful thief.
Hey Developers, Protect Yourself!
If you’ve already paid for a developer account, it costs you nothing to publish an app or game. Why not title your app “Private Beta: App Name”, choose a private beta package name, password protect your app so only those who you give the password to can test it out, publish to Android Market, and make sure every APK you share has that same package name?
Problem solved. Developers CAN protect themselves… but it wouldn’t hurt if Google put some measures into place to prevent the bad guys from doing idiotic things. Afterall, some people don’t want their apps or games to appear on market at ALL prior to launch.
So, developers… have long nights and cheetoh-stained fingers led you to any other revelations on how you, and fellow developers, can protect their hard work?