I don't think that you will ever have a solution that will prevent the
pirates from stealing. The question is, does LVL prevent the average
person from being able to steal the app?
For example, on some stores someone can simply forward the email with
the download link to the app they just purchased to one or more
friends. That is really easy for people to do. I added a simple
license check to stop this kind of stealing. I'm sure hardcore pirates
could steal my apps but at least I have prevented the common case that
just about everyone can figure out.
Unfortunately I'm not a big Android expert so I don't know how easy it
is to even copy an app on Android. Does the average person have the
means share/steal an app they purchased off the market if it doesn't use
LVL?
On 10/22/2010 8:49 AM, Kostya Vasilyev wrote:
The server-side LVL could verify the application signature instead,
since anyone (pirates) changing the code would have to re-sign the
package. The signature is (I think) available to Market application on
the phone, and to the LVL back-end on the server.
Android Market's communication with the server and the application are
encrypted, and Market is signed with the platform key, which means it
can't be tampered with.
Don't know if there any vulnerabilities with this (other than rooted
phones), but then, I don't work for Google and shouldn't discuss
something I know nothing about :)
-- Kostya
22.10.2010 12:30, Jose пишет:
But you can check for the checksum in dozens of differents places in
your (ofuscated of course) code. It´s very easy and very fast
This will raising the bar for piracy one step more
On Oct 22, 9:18 am, noriato<fabri...@gmail.com> wrote:
So then the check for the checksum could be removed... same problem.
Peter
On 22 Okt., 07:50, Jose<toco...@gmail.com> wrote:
I think that an easy way to tamper-proof apk would be:
1) Android Market computes a checksum for the apk when the apk is
uploaded
2) In the License Response (eg. in one extra), Android Market send
this value
3) The aplication computes the same checsum of itself. If the values
don`t match, just finis()
This could be very easy to do for Android Market developers...
Regards,
Jose
On Aug 24, 8:16 pm, Trevor Johns<trevorjo...@google.com> wrote:
FYI: We have a blog post up on this topic. It covers many of the
points I
made earlier, but I figured it's worth pointing out.
http://android-developers.blogspot.com/2010/08/licensing-server-news....
--
Trevor Johns
Google Developer Programs, Androidhttp://developer.android.com
<http://android-developers.blogspot.com/2010/08/licensing-server-news....>
On Tue, Aug 24, 2010 at 8:26 AM, a1<arco...@gmail.com> wrote:
But I'm not sure that native code is any harder to patch, and there
are still identifiable syscalls or calls back up to java for i/o to
show where it tries to accomplish verification.
First of all it's much harder to bypass especially if you are
dealing
with optimized code and you will have to do it at least twice
(for arm
abi and armv7 abi). Event toolchain setup is more complicated.
--
Bart Janusz (Beepstreet)
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to
android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com<android-developers%2Bunsubs
cr...@googlegroups.com>
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=e
--
Leigh McRae
www.lonedwarfgames.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
