37

I am developing an android app and I am planning to publish it (paid app). I have heard that it is very easy to pirate Android apps (much easier than iphone). I was wondering from your experience or what you know, how can increase the security of my app? I know that I can never get it 100% secured but I want to make it harder for people to pirate it or distribute it illegally Any ideas, experiences, comments you can share?

Elrond_EGLDer
  • 47,430
  • 25
  • 189
  • 180
Snake
  • 12,886
  • 20
  • 99
  • 231
  • you will have to go with a bunch of techniques and you will still not be able to prevent it totally. use `google play licensing` and `code obfuscation` for the start. I would suggest checking popular piracy web sites and ask the one click hosters to take the files down, but I'm not sure about how they handle this. And it will be back soon anywhere else, it's pretty much hopeless. – stefan Mar 26 '12 at 00:42
  • i would advice to build core part of your app using C++ and use android NDK, you will be using network to authenticate valid buyers. – duckduckgo Jun 18 '13 at 10:23

3 Answers3

69

I released a free anti-malware app for Android, and making sure nobody hacked it was essential to its success. The biggest threats agains an app on the Android Market include leaked source code, copied/distributed paid apps, and re-keying. I explain each below and way to solve them.

Firstly, this paper describes how to reverse-engineer an Android application by unpacking the compiled code and viewing the source code. You will not be able to block this from happening to your app. Period. Someone with a will can always view your sourcecode if they get a copy of your apk (easily available on a rooted phone). The good news is that you can obfuscate the important pieces of your code making it harder to reverse engineer. Proguard is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. In order to prevent your important code from being read, however, you will need to move all vulnerable methods or variables to a file that is not an Activity, Service, or BroadcastReceiver. For full facts, read the documentation.

To protect agains illegally copy and distribution of your application, Google Play provides some licensing options. Unfortunately, LVL is also not entirely secure. A detailed HOW-TO for how to crack it (pre-Google Play) is available here.

Lastly, the paper linked above, as well as numerous scholarly articles and online blogs describe how, once the source code (or even obfuscated source code) is leaked, once can merely add some of their own, malicious code, resign the app, and publish it on the Android Market. The good news here is that, unless your android license key password is easily guessable, or if you give it out to someone else, the attacker will not be able to publish an application with the same license key. This not only protects you from blame, but it will also make it so that malicious application cannot access data available through your original application (such as SharedPreferences).

All in all, the best way to really secure your application from piracy is to correctly configure and use Proguard, Google Play Licensure, and to sign you final apk with a very secure license key.

Phil
  • 34,061
  • 21
  • 117
  • 154
  • 4
    Wow.. Great info and very detailed answer. I like the fact that it is proven by a paper. I will follow what you suggested. I still encourgae people to share their experience – Snake Mar 26 '12 at 15:49
  • 6
    I'd like to point out that you don't need a rooted device to get a copy of an APK. `ADB pull com.example.coolappdude`. In addition, Proguard is a Java bytecode obfuscator. The makers ProGuard have a non-free program DexGuard that is a Dalvik bytecode obfuscator. Might consider one or the other depending on your paranoia level. – CatShoes Feb 07 '13 at 19:48
  • Dan Galpin did a great talk at I/O 2011 that goes over ways to make LVL more secure: http://www.youtube.com/watch?v=TnSNCXR9fbY – keyboardr Mar 01 '13 at 02:57
  • Note that the answer runs contrary to the wisdom of the commercial software developers. I've seen many big companies state that securing an Android app will cause serious problems for legitimate users, which is a compromise few of them consider worthwhile, which is why most commercial software on Android is not 'protected' as described above. It is actually a little foolish to think that few paragraphs on SO can solve all the problems a massive industry have failed to solve. – Carl Smith Mar 27 '14 at 21:42
  • 1
    @CarlSmith what *serious problems* are you talking about? Also, can you site your sources for these big companies that you say you have seen make these statements? Your comment is extremely vague. – Phil Mar 28 '14 at 03:51
  • @Phil - Sorry for the lack of detail, but there's no end of stories of DRM crippling legitimate users, especially on Android. If I'm honest, was just pissed off when I posted because my sister in law couldn't use Sky Player the other day because of DRM, and she pays them a contract that includes the service. DRM sucks man. – Carl Smith Mar 29 '14 at 01:06
  • 1
    @CarlSmith this answer does not discuss DRM, although for some apps that may be useful to explore (Android provides Widevine DRM for API 3.0+). Why the down vote? – Phil Mar 29 '14 at 01:49
  • 1
    The down vote was overkill, I'm sorry. I tried to reverse it even before you mentioned it, but it says I can't unless the question's edited. Again sorry. It wasn't called for. If you do edit the question, I'll reverse it. – Carl Smith Mar 29 '14 at 02:18
9

You could add tamper checks combined with obfuscation to alert user/disable functionality /report to server if the app has been pirated. I use DexGuard for hardened obfuscation.

Tamper checks

  • Installer app - Use package manager to ensure the installing app is the play/amazon app store
  • Emulator check - Check system properties for telltale signs the app is being run on emulator which outside of dev could indicate attack/tampering
  • Debuggable check - Use package manager to check the debuggable flag, this should be off in product so could indicate attack/tampering
  • Signing certificate check - Use package manager to verify the app is signed with your developer certificate (this would be broken if someone unpacked and repacked/resigned the app)

update: Since answering this question, I've written a more detailed article on tamper detection.

scottyab
  • 21,990
  • 15
  • 91
  • 102
  • Thank you , do you have code examples? I use proguard for obfuscation – Snake Mar 20 '14 at 00:46
  • This book has some examples http://www.packtpub.com/android-security-cookbook/book *disclaimer I wrote the hardening chapters* You can download the code samples free on the support section of the book website. – scottyab Mar 20 '14 at 08:46
  • @scottyab Doesn't this very significantly increase the likelihood of a legitimate user being unable to use the software after they've paid? – Carl Smith Mar 27 '14 at 21:47
  • No, the only one that may be a issue is the Installer app check which might run in to issues if the user is using some kind of app backup software (like titanium backup). – scottyab Mar 30 '14 at 06:26
  • Funny, I was looking at your article and a bit later I found this answer. You might want to link to it for more detailed information. Great article btw: https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app – miva2 May 06 '15 at 15:33
7

have a look at the google play licensing framework.

http://developer.android.com/guide/market/licensing/index.html

this is your best choice.

Google Play Licensing is a network-based service that lets an application query a trusted Google Play licensing server to determine whether the application is licensed to the current device user. The licensing service is based on the capability of the Google Play licensing server to determine whether a given user is licensed to use a given application. Google Play considers a user to be licensed if the user is a recorded purchaser of the application.

Jeffrey Blattman
  • 21,054
  • 8
  • 74
  • 127
  • I heard that google licensing (through app signing ) is really worthless. There are automatic tools, that download the app, remove the license and sign it with a new user all in one click (I read it in one of the forums).. I will definitly use licensing but I need another layer of defence.. – Snake Mar 26 '12 at 00:35
  • 2
    the app signing mechanism is deprecated. the new licensing system is network based and quite solid. – Jeffrey Blattman Mar 26 '12 at 00:39