Android: 33 Days to Piracy

Having developed a number of apps for iOS, I had a number of requests for some of these applications to be ported to the Android platform. Having some spare time between projects, I decided to port the most popular and most requested app CNS Tap Test. This is a reasonably simple app used to track and trend the recovery of your Central Nervous System as part of a training program.

I had followed development on the Android platform, and piracy was always at the forefront of concerns regarding the platform. The common cases appeared to be, after removing any licensing or copy protection, and resigning with a third-party certificate:

  • Hosting on third-party websites for free distribution.
  • Injecting malware and re-posting the app.

With this in mind, I looked into the options to mitigate the risk of piracy. The typical options appear to be:

  • Do nothing
  • Obfuscate with ProGuard
  • Use the Google License Verification Library to license the app
  • Use custom code to detect changes to the .APK CRC and signature

My first concern is not to inconvenience legitimate users under any circumstance.

The most promising was the License Verification Library (LVL), but it does have some limitations such as requiring a network connection. Unfortunately there is a tool available (AntiLVL) to automatically strip LVL protection. It may not work in all cases depending on how LVL has been implemented. LVL appeared to be excessive for a $1 app, and would be circumvented with less effort than it took to implement it.

Detecting changes to the CRC and signature appeared to be a good option. The issue being that the valid CRC  must be held outside the .APK as it is unknown until the .APK is built, and then changed whenever the code is changed. What I decided to do, was to log these so I would know when the app had been compromised, but not to take any action in the off chance that a false positive would inconvenience legitimate users. Any action could easily be bypassed by disassembling the code, and putting a return into the appropriate call. I also used ProGuard to obfuscate the code.

The app went live on Google Play on the 7th of January. 33 days later the current version of the app logged a different CRC and signature. It has only been logged once to date, so whether the logging has been removed, or the app has been cracked but not yet distributed, is yet to be determined.

How does this compare to iOS? I have no comparison as I implemented no such scheme in my iOS apps,  but from a revenue viewpoint the iOS version of the application has 6x the revenue of the Android version over the last 30 days.

The piracy and minimal revenue does not encourage me to further invest time and money into the Android platform.

Leave a Reply

Your email address will not be published. Required fields are marked *