I am always amazed at how people always blame everyone else for their problems... this is something I never see from any Google Developer... I don't see excuses. What has the world come to when everyone always has this expectation of entitlement. Noone is forcing you to develop for Android or any other platform for that matter. If you spend a little time using your brain you can easily figure out how to deal with pirates and Trevor outlined a solution that merits investigation and consideration. I have been selling software for over 10 years... let me just mention Zend Encoder that costs $1000 and 99% of the applications that were encoded with it can be decoded to the original source code in minutes now... THAT is something to be upset about... Google provides LVL for FREE! How much do you think it cost them to develop? Don't you think we are all in the same boat really? Stop blaming Google and take some responsibility for your own product... overcoming the shortcomings of licensing apps that run on the VM is a challenge... not an excuse. I see way too much whining when that same energy can be spent on a solution. The platform is not the issue... the thieves are the issue. That is where the responsibility lies. Piracy is never going to go away. You can either accept that fact or continue to live in a fantasy world where everyone else is to blame. Try using your brain and not your emotions and you can probably limit it's impact...
Android Workz On Aug 24, 3:52 am, Trevor Johns <[email protected]> wrote: > On Tue, Aug 24, 2010 at 12:31 AM, Kostya Vasilyev <[email protected]>wrote: > > > The article states: > > > "Even when mangles in ProGuard the licensing library code is easily found > > automatically. Since you compile the licensing library into your own code > > you can make some changes to it to make it harder to find when obfuscated > > though." > > > Perhaps it is possible for Google to re-implement LVL with more attention > > to security, before it's widely rolled out? > > No. Again, this is client-side code. We could spend an eternity trying to > strengthen it, and it would still be vulnerable to these kinds of attacks. > Remember: We publish the source code. Anything that Google does is also > visible to crackers. (Application developers have an advantage here: You can > modify the LVL in unique ways and *not* publish your source code.) > > On top of that, once one person figured out how to crack the library, they > could write an auto-crack that would work on all applications. > > The only way this works effectively is if you have heterogeneity in the > license check code between applications. > > (Also: This isn't to say that there won't be future releases of the LVL > where we improve the security of the code. I'm just saying that there's no > point in completely re-implementing the LVL to magically solve all of these > issues. That's impossible. It also implies that we didn't pay attention to > security when the LVL was released -- this isn't true.) > > Doing it as part of Market application, with only simple allow/deny passed > > > over RPC is probably more secure. Market app is signed with the platform > > key, and the firmware checks the signature, right? > > Unless you have an Android Dev Phone which allows loading custom firmware > images. > Or a Nexus One which can have it's firmware unlocked by running 'fastboot > oem unlock'. > Or you have a phone that's normally firmware-locked but somebody figured out > how to root it anyway. > > And once that's done, you could modify Android Market to return an ALLOW > response for all applications -- which would be very bad. > > And on top of that, you're vulnerable to somebody decompiling the APK and > removing the code that performs the RPC check. > > And you've removed the ability to perform a server-side license check if you > want. > > No, this is worse idea in every way. > > -- > Trevor Johns > Google Developer Programs, Androidhttp://developer.android.com -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
