I'm curious about something regarding signing. If someone does as this hack shows and patches the apk, they need to resign the new build. If they then put this version out and its widely distributed, can't Google see the certificate used to resign it, compare with the original and just revoke the new one? Following that, what actually happens if a user then tries to install an app signed with a revoked cert via non-Market means?
On Aug 24, 9:20 pm, keyeslabs <keyes...@gmail.com> wrote: > Seems like I was unfortunately very right on this prediction. Just > off by a few days :). > > LVL is flawed in the same ways that AAL (and other similar approaches) > is flawed. Google could do better, and I hope that they will. > Obfuscation isn't really going to do much to improve the situation. > What is really needed is O/S-level and app store support for signing > apps (in real time) based on user credentials, application authors, > and phone characteristics. The dependence on the android market app > is a single point of failure that is too easy to search for and find > regardless of how obfuscated your code is. > > From a technical standpoint, LVL will help to some degree, but I've > got to think that in terms of P.R., Google did themselves more harm > than good here. > > Dave > > On Jul 31, 5:21 pm, keyeslabs <keyes...@gmail.com> wrote: > > > > > Speaking as someone who has traveled this road before with my own > > implementation of basically the same approach, obfuscation will be > > critical. With AAL, it took about three days for someone to crack the > > app. The process looks something like this: decompile the apk using > > a freely available open source tool, find the code that invokes the > > licensing check, skip it, recompile and repackage the apk. > > Obsfucation will make this more difficult, but not all that tough > > given the usage of intents for communication betweenLVLand the > > market tool. > > > Don't get me wrong, I think thatLVLwill offer a much needed road > > bump for pirates -- stealing apps will actually require a crack of > > each app. This is a viable approach to license verification and > > that's why I took the same route with AAL months ago. It certainly > > seems like google could have gone further though. > > > The coverage of this has been very extensive in the press, and I would > > guess the coverage of the first released crack within a week or two > > will also make a fairly big splash, which won't look great for the > > platform. > > > All told though, I thinkLVLis a positive step for the platform. > > Speaking as someone that was seeing 90%+ piracy rates before > > implementing something very similar toLVLin my own apps, I'm happy > > to see google addressing the problem. > > > DaveKeyes > > > On Jul 27, 5:44 pm, sblantipodi <perini.dav...@dpsoftware.org> wrote: > > > > I haven't understood if using this library external obfuscation > > > (proguard for example) is needed > > > for security reason or if we can avoid using external obfuscator, it's > > > quite a pain using proguard in netbeans plus android sdk. > > > > On Jul 27, 10:24 pm, Sebastian Rodriguez <srodrig...@gmail.com> wrote: > > > > > I agree with Anton Persson. When will Google realize that opening the > > > > paid > > > > market to all the other countries is crucial for the market environment > > > > :( > > > > We don't have access to them here in Singapore either. > > > > > But this is a major step already, let's hope for even better! > > > > > Seb > > > > > On 28 July 2010 04:19, Kaj Bjurman <kaj.bjur...@gmail.com> wrote: > > > > > > I saw that entry, and have a question. > > > > > > What will happen if the user doesn't have network connectivity? Many > > > > > users turn of data traffic when they travel to other countries, but > > > > > the probably still want to use the licensed applications. > > > > > > On 27 Juli, 19:55, Trevor Johns <trevorjo...@google.com> wrote: > > > > > > Android fans, > > > > > > For those of you who haven't already heard through our blog, we've > > > > > > just launched the Android Market licensing service: > > > > > > >http://android-developers.blogspot.com/2010/07/licensing-service-for-... > > > > > > > From the above blog post: > > > > > > > "This simple and free service provides a secure mechanism to manage > > > > > > access to all Android Market paid applications targeting Android 1.5 > > > > > > or higher. At run time, with the inclusion of a set of libraries > > > > > > provided by us, your application can query the Android Market > > > > > > licensing server to determine the license status of your users. It > > > > > > returns information on whether your users are authorized to use the > > > > > > app based on stored sales records." > > > > > > > Developer documentation is available here: > > > > > > >http://developer.android.com/guide/publishing/licensing.html > > > > > > > Happy coding! > > > > > > > -- > > > > > > Trevor Johns > > > > > > Google Developer Programs, Androidhttp://developer.android.com > > > > > > -- > > > > > You received this message because you are subscribed to the Google > > > > > Groups "Android Developers" group. > > > > > To post to this group, send email to > > > > > android-developers@googlegroups.com > > > > > To unsubscribe from this group, send email to > > > > > android-developers+unsubscr...@googlegroups.com<android-developers%2Bunsubs > > > > > cr...@googlegroups.com> > > > > > For more options, visit this group at > > > > >http://groups.google.com/group/android-developers?hl=en > > > > > -- > > > > Sebastien Rodriguez -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
