On Tue, Aug 24, 2010 at 12:31 AM, Kostya Vasilyev <[email protected]>wrote:
> The article states: > > "Even when mangles in ProGuard the licensing library code is easily found > automatically. Since you compile the licensing library into your own code > you can make some changes to it to make it harder to find when obfuscated > though." > > Perhaps it is possible for Google to re-implement LVL with more attention > to security, before it's widely rolled out? > No. Again, this is client-side code. We could spend an eternity trying to strengthen it, and it would still be vulnerable to these kinds of attacks. Remember: We publish the source code. Anything that Google does is also visible to crackers. (Application developers have an advantage here: You can modify the LVL in unique ways and *not* publish your source code.) On top of that, once one person figured out how to crack the library, they could write an auto-crack that would work on all applications. The only way this works effectively is if you have heterogeneity in the license check code between applications. (Also: This isn't to say that there won't be future releases of the LVL where we improve the security of the code. I'm just saying that there's no point in completely re-implementing the LVL to magically solve all of these issues. That's impossible. It also implies that we didn't pay attention to security when the LVL was released -- this isn't true.) Doing it as part of Market application, with only simple allow/deny passed > over RPC is probably more secure. Market app is signed with the platform > key, and the firmware checks the signature, right? > Unless you have an Android Dev Phone which allows loading custom firmware images. Or a Nexus One which can have it's firmware unlocked by running 'fastboot oem unlock'. Or you have a phone that's normally firmware-locked but somebody figured out how to root it anyway. And once that's done, you could modify Android Market to return an ALLOW response for all applications -- which would be very bad. And on top of that, you're vulnerable to somebody decompiling the APK and removing the code that performs the RPC check. And you've removed the ability to perform a server-side license check if you want. No, this is worse idea in every way. -- Trevor Johns Google Developer Programs, Android http://developer.android.com -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
