I'm making my first Android app, and it will be a paid (1$) app targeting API8 (Android 2.2).
Right now I see 2 options for protecting my app from sharing:
Using Android license checking : The problem is that the device must have an internet connection, and that as I've read on the net, the license caching is buggy. And, the biggest draw back is that it can be cracked anyway by an average cracker... Also, I don't want to penalise honest users by slowing down the app startup or by exiging an internet connection.
Using ProGuard, and activating the legacy anti-copy option when publishing the app : Is this unsecure to the point that even a newbie would be able to copy / share my app ?
Also, I don't wont to spend a lot of time on the security of my app, so please don't suggest solutions that are hard to implement / time consuming.
For now I'm more for the second option. Please help me decide, and tell me if I'm wrong in what I've said.
[UPDATE]
One more question : Does the Android LVL add more encryption to the APK and make it more difficult to share ? Or is it only used to check the license online ? Is it safe to not use it at all and only use Proguard and the legacy anti-copy option when uploaded ?
Thanks.
The answer is simple! Do not waste your time in adding protection...it will be cracked the minute it gets uploaded and WILL be pirated very easily!
Use proguard as your best defence for the app to obfuscate the names of classes into single-lettering scheme.
Related
Is there any service that can be used to monitor how a beta-user engages in an android application I made?
I've looked into different analytic solutions, but they all come with the disclaimer that I should not send "unique identification information about the users" - fair enough, and I can appreciate the privacy concerns. But I need to dig that information during my beta testing.
Currently, I'm emailing the apk files to a few people to install the app and test on their phones. They give me feedback, but not all of them are good at describing exactly what they are doing. I need more detailed information - like how they opened the app (was it a fresh open, or did they relaunch it from the running app list?), what exactly they did in the app and if possible, to get some debugging information too, since some issues are unique to the specific model of phone they use.
In a nutshell, it means that I need to dig into my beta-testers devices - and they all agree to it too, so its not like I'm spying on them or some such. (At the very least, I want to record their behavior in my app with permission)
Is anything like this available? If not, are there any other approaches I can use to solve/debug issues that generate from end-user behavior? (NOTE: I'm not talking about app crashing/hanging. The app is stable - its just not working correctly)
Stuff that doesn't seem to work:
http://acra.ch/
This looks more like a crash reporting tool than a usage/monitoring tool. :(
http://try.crashlytics.com/
Similar issues to above
Paid levels of BugSense come with a feature called Bread Crumbs, which I've never used but which sound like what you need.
We are developing an Android application. We know that using tools like APKTool, dex2jar can get the source code of an APK.
1) Can they get complete source code so that they can rebuild the same APK, with very minimal effort?
2) After getting the source code, is there a possibility that others can upload the rebuilt APK under their own name?
3) If possible, how to prevent this?
Our clients are keen about this.
It is not possible to prevent your application from being reverse engineered. However, you can make it harder using tools loke proguard.
Yes, it is possible that others can upload the reverse engineered APK. Nevertheless, they need to change the package name.
It cannot be prevented.
Have a good look here for a more detailed explaination: How to secure my app against piracy
1) They can, but NOT WITH A MINIMAL effort.
2) Sure, they can.
3) You can't. You can just make their work a bit harder, trying to obfuscate your code as much as possible and crypting your dbs (which is the most important thing you and your users should worry about).
Not sure what you mean by APK? You can certainly extract and decompile an apk, repackage and resign. It would be the same but would have a different signature and so couldn't be installed over the an existing installation. I'd argue this can be done with minimal effort using Apktool there 100's of articles on how to do it. But even easier with APK2Java which turns converting apk to java into a point and click experience.
Yes, to other appstores with no code changes. If the attacker changes the package name which is simple there are automated scripts that can so this it could be uploaded to Playstore.
100% preventable?, no. But you can make it allot harder and raise the difficulty and effort level required. As others have mentioned Proguard is a good start, I recommend Dexguard it's not free but really adds to your apk hardening. You could also add tamper checks to break functionality or alert user.
I've talked about Android app hardening at Droidcon UK here's the slides they may help. The idea is to add several levels of security to raise the time/effort it takes so most attackers will just move on to another app.
I need to increase the security of my android app. Actually my android app. will not be for Google play Store (which provides some licensing options to protect your app.) it will be used for some local companies that used the same app (Desktop app). However, I want to support two versions for my app. which are:
Demo version: for testing aims (after the given period end, the app will stopped!)
Actual version: this if the user want to pay for the app.
What I need:
To increase the security of my app. from installing it another time or on another device for the same user!
For my code I used ProGuard which is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. cause there are many reverse-engineering application that used for unpacking the compiled code and viewing the source code (actually I tried some of them and its really amazing to restore the sourse code from .apk!) ..
I think to use the MAC address of each device the app. installed on and then store it into internal database and generate a number form it (in somehow), then ask user enters it (which I the one who knows this number and provider for it) if it is true, the app run else not. But, it's just idea I do not know how this can happen or even from where I can start or even also if that will help!
I tried also SharedPreferences But this does not help!
Actually I do not need for external database on server to read the username or the password for eligible users for app. I need to do that by my app. itself!
In sum please,
How can I protect my app from installing many times for same user or continuing using after testing period ends, etc. (I mean make it more secure)!
any ideas, any suggestions, any useful examples or sites are also desirable.
Sorry for this long question,
I wrote a piece of code that works with internet services of a company that does not allow the usage of other clients than their ones.. But I did it, it faster, better, you have favorites... I mean its a IMPROVEMENT. I contacted them and offered them y solution but they did not agree.. (Its a chatting service, nothing special)
BUT still I would like to publish it.. So my questions are:
I can forget about Google Play / Android Market, because you are registered with a credit card linked (real name) right? (Will probably publish only on my blog (anonymous blog) and some unofficial markets)
Creating the APK - are there any steps that I have to watch? I have to sign the application, shall I use a fake name?
I mean I am not doing anything bad, I just want to share my solution but still not get into problems or so...
Found something really interesting:
http://www.howtogeek.com/106175/the-top-5-alternatives-to-the-android-market/
Recently I published my new application in Android Market. This application contained Android Licence. This Licence was working perfectly fine, when I put my own apk on my phone, there is a dialog that will pop out saying I need to buy this application on the market. However, today I saw my application on some forum and when I tested it, the license was not working, I can get in to the application without buying it. Is there something I am doing wrong?
And also can you give me some tips that can help me to stop this hackers. I am thinking to have a Push Notification on my main activity which will pop out only when I have a new updates therefore people who are not registered can't get this new updates. But the real problem is I don't know how to accomplish this. If you have a better solution can you please tell me, I am planning to publish my new app soon but I am thinking to delay it for a while because of this kind of piracy that is going on. Please help me, I have been working on this new application for several months and I don't want this kind of piracy to happen again.
I don't think you can get your licensed application through the market without buying it. I'm not sure why you would want to, since you can just compile it and install it yourself with ADB.
However, I wouldn't worry too much about people pirating your software. Any good or even marginally skilled cracker is going to be able to remove any security you have anyway. In my experience (from both ends of the playing field), the game always comes down to cat and mouse, and you will end up wasting time instead of adding features, fixing bugs, etc.
Look into ProGuard.
It comes free with the Eclipse/Android stuff.
ProGuard presumably makes it more difficult for people to decompile and modify your application package to defeat the licensing check.
I do not know how well ProGuard actually is at discouraging piracy.