Long story:
My clients want to let a third-party company test my App.
Because I have never heard about this company before, I want to make my App not copyable/data-accessible, in case they try to copy my program or do strange stuff.
In few words, I give them a smartphone with the App already installed and usable, but that's it, they can't do anything more than test it normally like a casual user. Or a way to ask them a password if they try to access to sensible data.
Is there a way to do it?
Short story: I need to make my App not copyable and its data inaccessible from others.
I hope my explantion was exhaustive :)
Thank you all!
A determined hacker will defeat any sort of copy protection you put in place. But what you can do is put enough barriers in place to make their return on investment not worth the time and effort.
Without investing too heavy in security components or investing in a trusted security platform, here are some dirt simple things you can put do in a special one-off build of your app.
Tie this particular build of your app to something specific to the phone you are sharing with them. If the phone's serial number doesn't match, it doesn't work. See this on getting a serial number of an Android device.
If there are data files beyond the program's compiled code that you are trying to protect that is plaintext or not in a custom binary format, simply encrypt it. Decrypt at runtime. Perhaps the password/key is based on the serial number of the device or other nonce unique to the phone. That way, they can't copy data and program to another phone and have it work.
Put a timebomb in place. That is, after a specific date, the app just doesn't work.
On startup, your app accesses a website and downloads a URL. Based on the contents of the URL, the app shuts off.
All of these mechanisms can be defeated by someone that really wants to copy your app or get at your files. But it's sufficient to ward off the casual hacker and to buy time while your app is relevant.
Use licensing options provided by Play Store and Tools like Proguard can make it difficult
You can try StarForce Android Protection that prevents hacking and copying. They offer a month for free. It can be enough for testing. Or just ask for prolongation of trial period if you need.
Related
I need to increase the security of my android app. Actually my android app. will not be for Google play Store (which provides some licensing options to protect your app.) it will be used for some local companies that used the same app (Desktop app). However, I want to support two versions for my app. which are:
Demo version: for testing aims (after the given period end, the app will stopped!)
Actual version: this if the user want to pay for the app.
What I need:
To increase the security of my app. from installing it another time or on another device for the same user!
For my code I used ProGuard which is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. cause there are many reverse-engineering application that used for unpacking the compiled code and viewing the source code (actually I tried some of them and its really amazing to restore the sourse code from .apk!) ..
I think to use the MAC address of each device the app. installed on and then store it into internal database and generate a number form it (in somehow), then ask user enters it (which I the one who knows this number and provider for it) if it is true, the app run else not. But, it's just idea I do not know how this can happen or even from where I can start or even also if that will help!
I tried also SharedPreferences But this does not help!
Actually I do not need for external database on server to read the username or the password for eligible users for app. I need to do that by my app. itself!
In sum please,
How can I protect my app from installing many times for same user or continuing using after testing period ends, etc. (I mean make it more secure)!
any ideas, any suggestions, any useful examples or sites are also desirable.
Sorry for this long question,
I'm experimenting with Android and I want to know if the following is possible: can I modify/patch an installed APP using another APP?
I know it's possible with root access, but I was wondering about non-rooted phones.
The only solution that comes to mind is the following:
-Create copy of original APK from data/app/ folder
-Patch/rebuild it
-Launch installation of the patched APK
The user would need to confirm the installation, but in theory it would work right? Any other tecniques that I haven't thought of?
In case you're wondering, I'm interested in injecting different strings and other resources into existing apps to provide translations or other modifications (ex: cheats in games), without changing the source of original apps.
You are right, you can do this on a device. Smali/Baksmali can be used on Android, also the apktool should be callable (I have only tried smali).
A year ago or so I have tried to use smali on a device and autopatch the source output. There was some information on the net (which I'm currently unable to find, sorry) but it was very limited, at least someone showed how to use smali/baksmali correctly. I have abandoned this approach because I'm not that good at java and the resources on a phone are rather limited.
Another approach I thought of was to offload the actual work to a server somewhere in the net. But this has its very own problem as you need to transfer the files, you may need the framework.apks, and so on.
This is interesting but hard stuff, you need to decode/parse/patch/rebuild apks and this has to be reliable. When you fail, the worst thing is that the users phone is broken (I wanted to modify critical system apks, bad idea ;)).
Better if the reinstall is seamless and for that you need: INSTALL_PACKAGES permission.
Now, INSTALL_PACKAGES android:protectionLevel is "signatureOrSystem" which means the app needs to be signed with the same certificate that was used to sign the system image.
Now to sign one's app with the same certificate as the one used to sign the system image might seem like a difficult if not impossible task since vendors may not be to willing to let other's use their certificate. Then again, some might want your app included in their system image. In any case it doesn't matter per sey since it's Android and Android has a ROM market.
Android ROMS are more and more synonymous with the general 'workings' or 'features' of Android. It is something that Android users come to expect. There are ROM manager apps available on the Android market that will list and install ROMs etc..
So in essense for an app to gain the INSTALL_PACKAGES permission one can make their own ROM, OR, work with the people who make ROMS and either have the app included with the ROM or use the certificate used to sign the ROM's system image to sign the app.
Again it is entirely possible that a vendor include the app in their "firmware" (system image). You would have to approach them.
:)
if both are your app use .content provider to share data between apps.and if other app is from another developer then you simply can't modify the app.
I've just released an app, a paid app, 4 days later a user told me there's another web site in China hosts my app. I downloaded it from there, and it does run fine on my device!
There are posts here saying people can change the package name and republish an apk. But this is not my case, the cracked version still uses the same package name. I used Android Vending Licensing in the program, but the cracked version does not do licensing check at all. I used ProGuard to obfuscate it, but that doesn't discourage the hackers.
Question #1: I signed the apk file according to Google's instructions. But still, they modified the code and took out the licensing check part. Am I wrong that signing an apk file is designed to keep people from tampering with the file content?
Question #2: For Win32 .exe programs, I used to use a checksum to determine if the file has been altered. This is how it works: When a .exe is created, I used a tool to calculate the sum of byte contents of the file, then stuff it into somewhere in the file, for example, 4 bytes after a text pattern "MY SIGNATURE". Then at run time, the program opens the .exe file and calculates the byte sum, compares it with the integer after the signature.
Has anybody tried this approach on apk files? Care to share your experiences?
Ultimately the built in protection of apps in Android is very poor. Here are your best practices.
1) Yes Google's recommendation to use code obfuscation, signed coded, and their license verification server is designed to prevent software theft. Their implementation however is highly flawed. The only requirement that an APK has to run is that it be signed. It doesn't matter who signed it though. There are no checks that your signature is the one it's signed with. So to crack it you just remove the license check and re-sign with whatever cert you want. Then a user can load it on their phone with "allow non market apps" checked.
Don't use Google licensing as is. Modify the code heavily. Add some new parameters to use when generating the keys. Move the code around / re-architect it. Don't include the Google licensing library as a library project. Put it directly in your code. Make the code as spindly and kludgy as possible. Add functions that do nothing, but modify the values on the fly. Make other functions later that convert them back. Spread license verification throughout your entire code base.
If you don't do those steps then the code can be cracked automatically. By doing those steps at least the cracker needs to take the time to hand crack it. That would probably only take a few hours at most. But a few hours is much much more time than instantly cracking the standard Google licensing layer. There are cracker tools that will actually just auto-download newly released android packages and, if they use the standard android licensing, crack them and upload the cracked APKs to these types of web sites. By making your implementation not the vanilla implementation you make things much harder, with only a few hours effort on your end.
2) This is a common anti-crack technique. You can do this on Android if you want. But it can be cracked in about 5 minutes. If you Google there are tutorials on how to crack this specific technique. Basically you just look for the CRC call in the code and remove the check after the CRC comes back.
Android has no inherent security. You can root any phone and download the APK. You can easily hack an APK to enable debugging and simply step the code to see any keys you have stored in the code. So in the end I wouldn't spend too much time on this. It's impossible to secure an Android App. I would just do the common sense stuff in the list above and move on.
3) If you're really paranoid you can implement your own licensing on your own licensing server. This is the approach I took, but not as much for protecting the app for theft, as it was to give me a mechanism to sell apps directly from my website so users that don't have Google Play could still purchase my apps.
Passive/Aggressive Scuttling
I agree with #metalideath that obfuscating and cludging the licensing code is not foolproof.
Here is an easily hidden technique I call 'scuttling' that works for apps deployed to Google AND Amazon. Scuttling is front-end piracy detection by the app. What to do once detected is in the purvey of the app creator.
Aggressive Scuttling: Eg. Termination and/or alarms on pirated app. Network communication not necessarily required.
Passive Scuttling: No app modification. Eg. enable tracking.
Passive/Agressive Scuttling: subtle app modification. Eg. silently disable key features. Lead pirate into thinking they bungled, and into unpublishing the pirated app.
If your app was renamed and/or installed from any source other than Google or Amazon, scuttle() returns true.
// Dont just copy/paste this code - that is what automated crackers look for - cludge it!
// No network communication is required at runtime.
// myPackageName should decode at runtime to "com.yourpackagename"
// google should decode at runtime to "com.android.vending";
// amazon should decode at runtime to "com.amazon.venezia";
public boolean scuttle(Context context, String myPackageName, String google, String amazon)
{
//Scallywags renamed your app?
if (context.getPackageName().compareTo(myPackageName != 0)
return true; // BOOM!
//Rogues relocated your app?
String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
if (installer == null)
return true; // BOOM!
if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
return true; // BOOM!
return false;
}
RESULTS
The following screenshot was taken from google analytics showing a pirated tracked free app from playstore (com.android.vending) that was redeployed with aggressive scuttling (non-playstore installs detected and terminated). Non-playstore (not-set) tracking drops. Tracking was not required, but enabled for these measurements.
DISCUSSION
Note service signing plays a role in scuttling: The package manager enforces unique package names with unique signatures.
This presents the question of what to do when the app is scuttled (pirate detected by the app). Piracy is a form of viralization (uncontrolled distribution) of your app. It is already detectable by enabling the analytics tracking back-end. Scuttling allows the app creator to customize a front-end response with or without tracking.
Aggressive scuttling is obviously detectable by pirates (BOOM!). This encourages further cracking. Passive scuttling is far less obvious, but may involve tracking.
Piracy may not be preventable but it is predictable, detectable, and trackable.
Tracking can present insurmountable problems to pirates, but also presents it's own ethical issues.
Passive/aggressive scuttling requiring no network communication as outlined above is perhaps the best solution. It is easily hidden (unlike licensing) and can be tailored to be as unobvious as possible.
The best thing to do is not worry about it. The people pirating it in China are not your customers, and never will be. If there was no pirate version available they still wouldn't pay you for a copy, in all probability. Besides which if your app becomes popular it will be cloned anyway, just like iOS apps are. The security systems you have already implemented are all that you need as they prevent most users from pirating the app.
Trying to make your app piracy proof will just harm the code base and make it harder to maintain, as well as potentially introducing problems for your genuine paying customers. Instead focus on promoting your app and making it easy for customers to pay for and use. By being responsive to feature requests and bug reports you add value that people are willing to pay for, rather than seeking out some dodgy cracked copy from a Chinese web site that is probably a trojan anyway.
Finally, report the pirate copies to anti-virus vendors. Supply copies of the APK. They will add signatures to their databases so that it gets flagged up as potentially dangerous.
My understanding from reviewing the Google market terms is that you cannot sell your app directly from your own site as it violates the Google app market terms. I think that implementating custom protections in your code is the best way to go. Standard methods just are not effective since code can be easily dissassembled
Is there any reason to forward lock a free app? If the user copies the app from the phone, is it protected in any way from decompilation, etc?
By "forward lock" I'm assuming you mean "prevent a user from forwarding the app to another person", and by "free" I'm assuming you mean "available for zero money". If that is the case, then yes, there are reasons to do so. First and foremost, this will ensure that the app is only available from a single source and that users don't have to worry about whether the app is genuine or a tampered version. It is not unheard of for someone to take a freely available app, add their own ads or malicious code, and re-distribute the app as if it was the original version. Unsuspecting users end up running adware/malware without knowing it. This also (unfairly) gives the original app a bad reputation. Therefore, many free apps prevent forwarding/copying for the sole reason of ensuring authenticity.
Also, just because an app does not cost anything doesn't mean that there aren't trademarked/copyrighted materials (or other types of protected intellectual property) inside it that aren't legally copy-able. Being able to easily copy or dis-assemble the app could open the creator to legal issues (especially if they licensed some of their content from a third party), so a free app isn't necessarily able to be taken apart. That being said, binary code is always viewable in a hex editor, and anything can be dis-assembled if you have the time and patience...
No, because the implementation that the Android Market offers is multiply broken:
It does not stop piracy, as people with rooted phones can still go in and grab the APKs, as they do all the time (and, AFAIK, it does nothing to stop decompilation)
Using Android Market copy protection has a tendency to keep your app out of the Market on occasion, such as when new devices are being rolled out
If you want copy protection, that's your call, but use something other than the one supplied by the Android Market.
While consumers bypassing the marketplace and copying a free app will obviously not directly affect profits, keeping track of the number of people using your app can be very important in terms of building the reputation both of the app itself and of your company / you as an indie developer.
If your app communicates with a server or central database as part of its natural functionality, then usage tracking can be implemented through that channel. But if not, then download information on the marketplace is the next best way to get a rough estimate of its popularity.
As for security, I'm not aware of any way forward locking directly makes your app more secure, preventing illicit copying could certainly serve to discourage untoward manipulation of the package files.
No, but it isn't particularly protected either way - it's possible to copy all the data off most android phones regardless of what the application developer would prefer, and once you have the bytes you can disassemble to your hearts' content. (Whether any of that is likely to happen to your particular application is an entirely different question).
There are other reasons to lock it - more accurate counting of userbase, etc. - but they're generally not worth the impact to the overall user experience. If your app phones home occasionally to count installed handsets, that's a much better plan than trying to enforce some way to trust the Marketplace count.
There's no way to protect anything from decompilation. Except if there's no platform that can run it.
But you can make it harder, with obfuscation and stuff.
But fo a free app it is probably not worth the effort.
I was wondering what the most effective way of preventing people from stealing my application (downloading a copy of the .apk online rather than buying it).
I've spent a lot of time on one in particular (Droidbox) and won't be releasing Sync until I can guarantee that the people who are providing illegal copies of the pro version aren't able to.
Anyone implemented this? I've tried checking my package signature verses an the signature of an unsigned copy but it appears to be the same - perhaps I'm doing something incorrectly here. I'm unsure whether people actually distribute the signed .apk in which case I don't think signature validation would work to begin with...
Please note, this question is specific to Android Marketplace Applications - the difference being, application delivery is out of my hands and I have no way of linking between a legitimate purchase and an illegal download.
Now there is the new Google App Licensing available. For deeper information read about it in the android developer blog.
A short summary: Google provides a library that makes a inter process call to the market client on the phone. The market client will then ask the google servers if the signed in user has purchased the app and forward this answer to you. There should be a public key in you developer profile that you need to encrypt the connection to the google server to prevent spoofing of answers. You also provide a application and device unique id with the query to make it impossible to forward approved queries to another device and build something like an licensing proxy with one bought copy forwarding the IS LICENSED answers to other devices.
At the moment this service looks secure enough to protect even the more valuable apps in the market. I will give it a try and maybe come back and leave some more informations after I used it a little bit.
If your app is really popular like an EA game or something this wan't stop users from hacking it. To hack the app somebody has to buy it, then unzip the apk, and edit the bytecode of your app to think that the market send a correct answer. The new byte code can be packed into another apk and can be installed on every phone that allows side loading.
To make this harder you can always try to obfuscate your apk and make your bytecode hard to understand.
There is a single, useful connection between an application buyer and the developer through the marketplace, the forwarding email address provided by google to contact the buyer.
Utilizing the integration callback setting to send buy information to your own server, you can use PHP to send a unique identifier (registration code) to the buy via email (real time as the callback is shipped from google during a purchase. The user then uses this email to register their software using the unique identifier that is then linked to their android ID (or google account username) and the software is "activated" and guaranteed to be legitimate.
Obvious Questions
Why is this a suitable solution when it requires the user to read email? Our market are those people who are capable of buying an application using an android device. By using an android device, it is implied that the user has a google account which implies they know how to use email.
How do I use the email with the unique identifier with my application? Create a content handler in your application that handles something like "myactivator://uniqueid-or-something" which causes your application to communicate to your internal server that keeps tabs on activations. Embed this as a link in the email that the user can click on.
How should I generate the unique identifer? I'm going to use the email somehow - I'm fairly confident google has already made it unique enough to disallow any feasible method of contact information selling.
What about people who have already purchased the software? A lot of options here - none ideal or terrible.
Send emails to all previous buyers
Allow users to activate by typing in their order number (can be obtained by logging into checkout.google.com.
Why bother?
Because some of us put a lot of time into applications and saying "you should just accept pirating" is a slap in the face.
The people that are lax enough to use pirated copies of your application to access their DropBox are probably using their DropBox for piracy anyway. Forget those people. Let them go. Yes, it's a huge number of people I bet, but let's face it, those people were never going to pay you anything anyway. Focus on the parts that you can control, and forget the rest.
Focus on the Android users that use DropBox for their work, for their businesses, for their own code, for their finance, for their thesis, and/or for their private family pictures. 95% of those people, that have something of value in their DropBox, and that want it kept private, are going to want to buy your application (assuming it's good enough for them).
Let me use this analogy:
When it comes to hiring a locksmith to put a lock on your home, do you hire the guy that looks the part and takes $150 an hour, or do you hire the shady guy that is willing to sell you a stolen lock to put on your front door?
Release your own illegal copy in the best known forums and have it disable itself after a week and showing a message like
Thanks for stealing... I make my living with programming this app. The x Dollar won't hurt you and I could by my next meal and go on making great updates for you.
I think this is the only thing that you can do about it. People will always find a way to copy your app and all countermeasures will only disturb the users that paid for the app.
The people copying your app aren't your customers and they never will be. Just see their use of the program as a kind of viral marketing. At least they are talking about your app and maybe some of their friends will then buy the app.
General shareware advice here - license the software to the individual. i.e. provide a license key that is personalized to their username. They'll be much less likely to distribute a key if it's got their name on it. You can probably automate the backend fulfillment of the order, to provide custom keys. Have your "Pro" version operate in trial mode until the name/key are entered.
Don't leave your computers so that someone can steal your applications from there.
Or wait.. Did you meant you don't want others to copy your software? Then.. not publishing it in the first place is likely your best option.
A bit related link: http://news.cnet.com/8301-27076_3-20003120-248.html
You neither have any mechanism to estimate amount of illegally copied software. Enjoy your attempts from stopping the rain even though entities bigger than you have attempted and failed.
There is a new tool in the wild that seems to good to be true:
Automatic Application Licensing from Keyes Lab.
I haven't tried it yet but if this works it sound like something you want to use in your high priced android apps.
If anybody tested it leave a comment or edit my answer with personal feedback.
I have the same issue. I recently found a number of my paid apps available for free download on this site: https://dlandroid.com/
I asked them to remove my app APKs, but I'm sure there are many other similar sites. Presumably they have a rooted phone which gets one valid copy of the app from Google Play, then uploads it onto their web site to distribute to all and sundry for free.
You could spend endless amounts of time ensuring that there are no pirated copies of your apps on the web, or implementing complex piracy protection measures, which would most likely make things less convenient for your genuine paid users. But I guess in the end, you have to be prepared to make a trade-off and accept that a certain level of loss is inevitable, and hope that most people are honest and get your app through the proper channels rather than risk malware infection by going to dodgy sites like this.