Thanks very much for the detailed response. I definitely understand that any anti-piracy technique is going to be a tradeoff, and that the only way to absolutely prevent piracy is not to publish your app.
String On Aug 9, 5:32 pm, Dianne Hackborn <[email protected]> wrote: > On Mon, Aug 9, 2010 at 4:22 AM, String <[email protected]>wrote: > > > So to return to the OP's question, it sounds as though defeating LVL > > by spoofing the ANDROID_ID would be possible on rooted devices? > > It depends. Ultimately the protocol requires that the app get a response > from the market server that it can confirm is signed by market itself, and > having root gives you no way to spoof that. What having root does allow you > to do is play lots of games with what the app stores for remembering whether > it is licensed, since root lets you modify and touch everything going in the > local device which includes everything your app has stored. So pirates > could all run devices with the same android id, and go through the apps and > plug in some known data that one person had gotten back from market that is > signed to confirm licensing and says it is for that android id. > > I think this will end up a very problematic way to pirate though -- having a > bunch of people with the same android id is probably not going to be that > wonderful, and all apps need to do is have their license vary in some other > way to make this a lot less valuable. For example, have it expire after > weeks of time (allowing the user to run it for a while after it has expired > until it has a chance to get a new license), mix in some other device > information that doesn't need to be immutable (just requires that you go > through the same process of getting a new license), etc. > > One of the important things is that the easiest point of failure now -- the > data the app stores on device to remember whether it is allowed to run -- is > controlled by the app. Apps can be as complex and strict as they want about > this, and the more variety there is in what apps do here the less attractive > it as a target. > > And also the biggest thing is that all of these attacks *do* require having > root, which is a small number of users. This is a huge improvement from > forward locking where all you needed was one person to get root and thus > access the app, after which all users could run it. > > This is always going to be a game of "how good is good enough." You can't > absolutely prevent people from pirating. It is now a lot harder, though, > and third party developers have a lot more control. I would suggest > starting out fairly simple/conservative in what you do (since that by itself > will be a huge improvement from forward locking); if pirating starts > increasing, you can start taking more complicated measures in your app for > ensuring you are running licensed and/or obscure the license checks, > depending on how attacks are happening. > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
