I need to protect my application against copy protection. I saw some apps in market that are unable to extract using any backup applications in my android device.
How can I make my application too against copy?
What you're talking about is currently being deprecated as a way of copy-protecting your app. It's an option you can choose before publishing your app in the Developer's console. A much better and safer approach is to use The License Verification Library.
There is a check box you tick when you are publishing your app. I'm pretty sure that it's near the end of the page, after the payment details section.
Related
is it possible to create an android application that is meant only for internal use? Basically a private application not meant to be installed by non-approved phones?
If so what is the basic process of deployment? How do you get the app on the employees phone's?
thanks!
The easiest way is to email it to them. Any email with an .apk attachment will get an "Install" button that you can tap to install the app.
Installing from non-market sources needs to be enabled -- which is a bit of a security risk -- but the user will be prompted to turn that on if they need to, and even given a button that will take them right to the appropriate settings page. The whole process is really quite slick. :)
Alternatively, you can copy it to the phone (e.g. after connecting the phone in USB storage mode) and then use a file system app to locate the file and install it.
Emailing it is the easiest way, however.
Edit: I'm assuming you meant private as in "only sent to certain individuals" and you're not actually looking for a method that will prevent the apps from being run on non-approved devices should they end up on one.
There's a proper way to do it now: Google Play Private Channel for Google Apps. You publish app on Private Channel and then send invitations to users. It won't be seen by other users of Google Play.
Option 1
Using Google Play Private Channel is probably the best way, but is useful only for Google Apps users.
Option 2
You can use new Developer dashboard options that let your app be in Alpha or beta phase and is available to only selected google accounts (using groups or google plus circles). Your app can stay in beta indefinitely so not become visible to other users. if you like this method you can also use services like TestFlight.
Option 3
Mail distribution is also ok it's even mentioned in documentation which I find a little bit odd, but I would advise you to use some file storage like Dropbox and just distribute the link to selected people.
Two major ways:
You can either use the non-market application installation method, or adb from a connected PC to install an apk which you distribute as a bare file. The downside is that anyone in possession of the apk can install your application.
Alternatively, you can distribute the application through the android market, but make it require an account on a server you control in order to do anything useful. The upside is that possession of the apk doesn't get an unauthorized user much; the downside is negative ratings from confused randoms, and that you've made your apk very available for interested parties to know about and decompile. (There is or was also a way to put an app on the market but not list it so it was only accessible via a full url, however don't rely on that)
Yes. As of right now I use such a method, I have to manually load the app on the phone, however other techniques can be used. Once loaded the app checks the main server to see if it is up to date. If it is not, it downloads and installs the new version of itself.
If you go to your eclipse workspace and go to yours app's folder, in the bin folder assuming you develop with eclipse, you will find a .apk file somewhere in there. Copy it to the phone and then use something like EZ File Explorer (or something like that) to access your android filesystem, click on the .apk and it will install and be ready to use.
I am developing an android app and I am planning to publish it (paid app). I have heard that it is very easy to pirate Android apps (much easier than iphone). I was wondering from your experience or what you know, how can increase the security of my app? I know that I can never get it 100% secured but I want to make it harder for people to pirate it or distribute it illegally
Any ideas, experiences, comments you can share?
I released a free anti-malware app for Android, and making sure nobody hacked it was essential to its success. The biggest threats agains an app on the Android Market include leaked source code, copied/distributed paid apps, and re-keying. I explain each below and way to solve them.
Firstly, this paper describes how to reverse-engineer an Android application by unpacking the compiled code and viewing the source code. You will not be able to block this from happening to your app. Period. Someone with a will can always view your sourcecode if they get a copy of your apk (easily available on a rooted phone). The good news is that you can obfuscate the important pieces of your code making it harder to reverse engineer. Proguard is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. In order to prevent your important code from being read, however, you will need to move all vulnerable methods or variables to a file that is not an Activity, Service, or BroadcastReceiver. For full facts, read the documentation.
To protect agains illegally copy and distribution of your application, Google Play provides some licensing options. Unfortunately, LVL is also not entirely secure. A detailed HOW-TO for how to crack it (pre-Google Play) is available here.
Lastly, the paper linked above, as well as numerous scholarly articles and online blogs describe how, once the source code (or even obfuscated source code) is leaked, once can merely add some of their own, malicious code, resign the app, and publish it on the Android Market. The good news here is that, unless your android license key password is easily guessable, or if you give it out to someone else, the attacker will not be able to publish an application with the same license key. This not only protects you from blame, but it will also make it so that malicious application cannot access data available through your original application (such as SharedPreferences).
All in all, the best way to really secure your application from piracy is to correctly configure and use Proguard, Google Play Licensure, and to sign you final apk with a very secure license key.
You could add tamper checks combined with obfuscation to alert user/disable functionality /report to server if the app has been pirated. I use DexGuard for hardened obfuscation.
Tamper checks
Installer app - Use package manager to ensure the installing app is the play/amazon app store
Emulator check - Check system properties for telltale signs the app is being run on emulator which outside of dev could indicate attack/tampering
Debuggable check - Use package manager to check the debuggable flag, this should be off in product so could indicate attack/tampering
Signing certificate check - Use package manager to verify the app is signed with your developer certificate (this would be broken if someone unpacked and repacked/resigned the app)
update: Since answering this question, I've written a more detailed article on tamper detection.
Have a look at the Google Play licensing framework.
http://developer.android.com/guide/market/licensing/index.html
This is your best choice.
Google Play Licensing is a network-based service that lets an
application query a trusted Google Play licensing server to determine
whether the application is licensed to the current device user. The
licensing service is based on the capability of the Google Play
licensing server to determine whether a given user is licensed to use
a given application. Google Play considers a user to be licensed if
the user is a recorded purchaser of the application.
If I want to deploy to the Android Market it looks like I have two options:
Create my own keystore and upload. When I update my app use that keystore on my APK to ensure that users are given the option to update.
Do step 1, but also implement Application Licensing which will put controls on how the app is used.
Am I correct to assume that step 1 means that anyone could copy my APK once it is purchased from the Android Market and install it anywhere they wish?
How common is it for people to use Application Licensing and is it the defacto approach?
My app will be paid and I want to ensure I am taking the best approach.
Am I correct to assume that step 1 means that anyone could copy my APK once it is purchased from the Android Market and install it anywhere they wish?
Yes you are correct, it would be extremely easy to copy your application.
How common is it for people to use Application Licensing and is it the defacto approach?
I would say it's very common since it's the only way to verify the licence against the Android Market, though I don't have any stats on this. Otherwise you would need to implement your own "Market" and verify purchases in your own.
My app will be paid and I want to ensure I am taking the best approach.
Use LVL, DO NOT use the default implementation. Watch the LVL session from the 2011 IO for a how to.
Often times, people will not simply download an app and copy it anywhere they would like. However, it is possible through some apps and other software for users to copy off APKs from their phones (even though they aren't suppose to). In my opinion, if you app is paid, you should implement Applicant Licensing. It is a very useful tool to help in preventing people from stealing your APKs (in other words, downloading it and then trying to install it some where else) as it checks on start up to ensure that the app is on the phone that purchased it. Otherwise, for free apps, I don't really see the neccessity because it's free and anyone could have downloaded it.
is it possible to create an android application that is meant only for internal use? Basically a private application not meant to be installed by non-approved phones?
If so what is the basic process of deployment? How do you get the app on the employees phone's?
thanks!
The easiest way is to email it to them. Any email with an .apk attachment will get an "Install" button that you can tap to install the app.
Installing from non-market sources needs to be enabled -- which is a bit of a security risk -- but the user will be prompted to turn that on if they need to, and even given a button that will take them right to the appropriate settings page. The whole process is really quite slick. :)
Alternatively, you can copy it to the phone (e.g. after connecting the phone in USB storage mode) and then use a file system app to locate the file and install it.
Emailing it is the easiest way, however.
Edit: I'm assuming you meant private as in "only sent to certain individuals" and you're not actually looking for a method that will prevent the apps from being run on non-approved devices should they end up on one.
There's a proper way to do it now: Google Play Private Channel for Google Apps. You publish app on Private Channel and then send invitations to users. It won't be seen by other users of Google Play.
Option 1
Using Google Play Private Channel is probably the best way, but is useful only for Google Apps users.
Option 2
You can use new Developer dashboard options that let your app be in Alpha or beta phase and is available to only selected google accounts (using groups or google plus circles). Your app can stay in beta indefinitely so not become visible to other users. if you like this method you can also use services like TestFlight.
Option 3
Mail distribution is also ok it's even mentioned in documentation which I find a little bit odd, but I would advise you to use some file storage like Dropbox and just distribute the link to selected people.
Two major ways:
You can either use the non-market application installation method, or adb from a connected PC to install an apk which you distribute as a bare file. The downside is that anyone in possession of the apk can install your application.
Alternatively, you can distribute the application through the android market, but make it require an account on a server you control in order to do anything useful. The upside is that possession of the apk doesn't get an unauthorized user much; the downside is negative ratings from confused randoms, and that you've made your apk very available for interested parties to know about and decompile. (There is or was also a way to put an app on the market but not list it so it was only accessible via a full url, however don't rely on that)
Yes. As of right now I use such a method, I have to manually load the app on the phone, however other techniques can be used. Once loaded the app checks the main server to see if it is up to date. If it is not, it downloads and installs the new version of itself.
If you go to your eclipse workspace and go to yours app's folder, in the bin folder assuming you develop with eclipse, you will find a .apk file somewhere in there. Copy it to the phone and then use something like EZ File Explorer (or something like that) to access your android filesystem, click on the .apk and it will install and be ready to use.
Here's the scenario i am trying to achieve:
Publish/have an app in the Android app store
However - i do not want it to be searchable through the android market search, etc.
The only way people can access the app is if i give them an explicit link to download
Is above possible? If so - how? All FAQs/instrucitons i have seen publish & make it searchable for the whole world - but i want it only accessible through #3 above.
Thanks.
Try this site https://www.push-link.com/, you can upload apk on your private account and only can be accessible thorough automatic generated link and QR code. This service contains user notification on new versions and bug reports.
Two things that are problematic with the link to an APK approach:
Some of the devices out there (I m only aware of the Motorola Atrix) don't have the "Unkown Sources" option, meaning that this won't work on them.
You loose the ability to auto update the app if you want.
I would recommend adding a login process where only your users will have access to the actual application. This way, you still have the Market advantages and only those people can activate the application.
The main disadvantage is that the application will be open to search in the Market, but as far as I know, this won't be a problem since people will immediately uninstall it since they won't be able to activate it.
In your case, what I do is, I dont upload the application to the Market and distribute it from my server.
I mean this is simple, sweet and it also saves my $25 for the market account...
Don't do this. Just publish the APK to your own website, then give the users the URL to the APK, they can download and install it directly. The only thing they'll need to do is ensure that Menu-Settings-Applications-Unknown sources is ticked.