I've tried to keep the AndAppStore product out of this discussion, but as you've raised it there are a a big differences between the theoretical holes mentioned in that thread and what I've actually done with your licmax secured demo; My method of working around your system does not require me to modify the application, whereas the methods detailed in that threat required decompilation of the application, searching through the decompiled code for how certain classes are used, following the flow of the decompiled version of the application to ensure the usage is not vital to the applications operation, removing the specific usage related to the license checking, then recompiling the code.
All solutions wholly embedded in the app can be circumvented by decompiling, searching for usage, modifying the app, and recompiling (licmax included), and it's the way the most commercial systems are cracked, but the method I've used to circumvent licmax did not require me to modify the application in any way, which makes things a lot easier for a software pirate and thus means it can be pirated by more people because the skill set required to circumvent licmax is a lot less than required to circumvent the AndAppStore solution. I'm not based in the US, so it would be difficult to speak at a High School or College, but one thing I will say is that using high and college students to verify the security of a solution isn't the best way to do it (otherwise Apple would probably let high school & college students verify apps for the app store). Those kind of competitions are great for getting innovate and cool applications, but not so good for verify implementations as students rarely have the kind of experience that is useful when looking for holes in an application / library. Al. -- * Looking for Android Apps? - Try http://andappstore.com/ * ====== Funky Android Limited is registered in England & Wales with the company number 6741909. The views expressed in this email are those of the author and not necessarily those of Funky Android Limited, it's associates, or it's subsidiaries. On 18 Apr 2010, at 07:28, licmax wrote: > So you are trying to promote your own product that got discredited by > engineers before it started! Read this thread: > http://groups.google.com/group/android-developers/browse_thread/thread/f032b5aa7a733a3d/dd3f85f5413f19f7 > Repeating word for word what other engineers mentioned about your > (solution) does not necessarily apply to others. > Perhaps you should learn more about and from licmax.com. It looks like > your (solution) can benefit some. > > licmax.com frequently sponsors application cracking tournaments among > high school and college students. If you are interested in > participating (perhaps as a guest speaker), licmax would extend an > invitation to you. Tournaments are usually held from Friday till > Sunday on premise. Let us know! > > licmax.com helps application developers protect their products in the > world marketplace for all platforms using industry standard > algorithms. It basically relieves them from implementing their own > licensing service - thats all. This way developers can concentrate on > the functionality of their product, increase customer satisfaction, > and maximize revenue. > > > On Apr 14, 10:12 pm, Al Sutton <[email protected]> wrote: >> I'm guessing that as it took you over a week to reply you're still none the >> wiser as to how I'm doing it, so let me re-iterate some important points you >> seem to have missed; >> >> 1) I've not told you how I did it, so what makes you think your little rant >> on crypto algorithms is relevant to what I've done? >> >> >> >> 2) A reference implementation serves as a "gold standard" by which other >> implementations can be judged (see >> http://en.wikipedia.org/wiki/Reference_implementation_(computing) ), so as >> your "Gold Standard" implementation is vulnerable it's logical to assume >> that all implementations will be vulnerable as they'll be based on the RI. >> >> >> >> I'm still waiting for someone to send me an implementation so I can create a >> video showing it pre and post-crack, but as I've not received one I'm >> guessing that developers are choosing not to use your product. >> >> >> >> Al. >> >> -- >> >> >> * Looking for Android Apps? - Tryhttp://andappstore.com/* >> >> >> >> ====== >> >> Funky Android Limited is registered in England & Wales with the company >> number 6741909. >> >> >> >> The views expressed in this email are those of the author and not >> necessarily those of Funky Android Limited, it's associates, or it's >> subsidiaries.On 15 Apr 2010, at 02:13, licmax wrote:Well, apparently you >> don't have full grasp of whatlicmax.comis or >> does. All I can tell you is do your homework and rtfm before making >> claims.licmax.comgenerates license keys using widely used industry >> standard one-way hash algorithms such as SHA-256, SHA-384, MD5, etc. >> If you claim you can crack these algorithms, I'd suggest you post your >> findings to the standards committees that take care of such algorithms >> (http://www.nist.gov/itl/ , http://www.itl.nist.gov/fipspubs/index.htm). >> Again, the provided reference implementation is nothing but that. >> Developers won't necessarily use the exact provided code where it >> would be obvious to hackers. Each developer would implement their own >> way and strategy to achieve verification goal. You don't seem you know >> the difference between RI and client library.licmax.comhelps application >> developers protect their products in the >> world marketplace using industry standard algorithms. It basically >> relieves them from implementing their own licensing service - thats >> all. This way developers can concentrate on the functionality of their >> product, increase customer satisfaction, and maximize revenue. >> On Apr 5, 11:00 pm, Al Sutton <[email protected]> wrote:I made an offer >> of anyone using licmax could send me their app and I would make a video >> showing it working without a valid license, as yet I haven't received a >> single request, which is why there has been no video posted, but I'd be >> happy to do the same for whatever you consider to be a "secure" >> example.Demos and reference implementation are only useful when they cover >> most real world scenarios, so to put out a demo which, by you're own >> admission is trivial to crack, is like trying to sell umbrellas by providing >> people with samples that have no canvas.I suspected the method I used would >> be completely undetectable, thanks for your confirmation. To me this means >> that developers using your solution would not only be left unsecured they >> would also be left unaware that piracy was happening. This is the same >> situation they would be in if they didn't implement licmax, and hence it >> would appear your product offers little if any benefit to developers.Al.--* >> Looking for Android Apps? -Tryhttp://andappstore.com/*======Funky Android >> Limited is registered in England & Wales with the company number >> 6741909.The views expressed in this email are those of the author and not >> necessarily those of Funky Android Limited, it's associates, or it's >> subsidiaries.On 5 Apr 2010, at 21:33, licmax wrote:Hi,licmax is a web-based >> license generation and verification service, nota client library. Developers >> may implement use of the service tovarying degrees of defense against piracy >> according to their strategy.licmax' mechanism is neither proprietary nor >> undocumented. Ourliterature clearly describes full details of the mechanism, >> whichhappens also to be employed by other providers. It is our >> technicalconviction that such a mechanism can be part of a robust >> anti-piracysolution.The demos and reference implementations are merely >> intended toexemplify fetching and verifying license keys. Cracking the >> referenceimplementation binary is trivial. We clearly state its use is at >> thediscretion of the developer.As for this specific piracy attempt cited in >> the first post of thisdiscussion, we can confirm there has been no >> compromise of licensekeys on our servers. The attempt clearly didn't >> exercise theprinciples of licmax since there is no trace of the perpetrator >> on oursystem. Our installed customer base regularly endures piracy >> attemptsnone of which as has ever been successful.If you need further >> guidance on the licmax strategy, please visit usatlicmax.comand feel free to >> contact us at [email protected] Regards,The licmax Team >> >> ... >> >> read more ยป > > -- > You received this message because you are subscribed to the Google Groups > "Android Discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en.
