I wrote yesterday about Android Police finding problems with Google's License Verification Library, a system which attempts to reduce piracy of Android apps. Yesterday, Google's Tim Bray responded to the reported issues by highlighting the service's strengths, and steps that developers can take to improve the service's protection.
Android as a platform seems to be continually getting better, and while this latest discovery of the vulnerabilities of Google's new anti-piracy system are alarming, it just goes to show you how aware the Android community is, and how concerned people are about the bettering of the platform as a whole. Especially since all the websites I read that covered the story seemed to be alarmed by the findings, and not pleased that piraters would have an easy time.
Below is the official response from the Android-Developers team:
- The licensing service, while very young, is a significant step forward in terms of protection over the plain copy-protection facility that used to be the norm. In the how-to-pirate piece, its author wrote: “For now, Google’s Licensing Service is still, in my opinion, the best option for copy protection.”
- The licensing service provides infrastructure that developers can use to write custom authentication checks for each of their applications. The first release shipped with the simplest, most transparent imaginable sample implementation, which was written to be easy to understand and modify, rather than security-focused.
- Some developers are using this sample as-is, which makes their applications easier to attack. The attacks we’ve seen so far are also all on applications that have neglected to obfuscate their code, a practice that we strongly recommend. We’ll be publishing detailed instructions for developers on how to do this.
- The number of apps that have migrated to the licensing server at this point in time is very small. It will grow, because the server is a step forward.
- 100% piracy protection is never possible in any system that runs third-party code, but the licensing server, when correctly implemented and customized for your app, is designed to dramatically increase the cost and difficulty of pirating.
- The best attack on pirates is to make their work more difficult and expensive, while simultaneously making the legal path to products straightforward, easy, and fast. Piracy is a bad business to be in when the user has a choice between easily purchasing the app and visiting an untrustworthy, black-market site.
Phandroid does a good job of simplifying the post from Android-Developers in regards to the work that developers have to do:
At the heart of the defense is the fact that an Android developer is able to make the licensing process unique to each application based on a template provided by Google. While the default template will work, it is by no means the most secure version. Google admits that the sample released was designed to be transparent and allow for developers to bounce new ideas off of at the risk of lower security. Developers using the sample provided as-is are not getting the most out of secure authentication.
At the end of the post, Tim Bray adds that "the licensing server makes it safer, and we will continue to improve it."
Engadget seems to share my thoughts in writing that "at least you hard working developers can rest easy knowing that Google isn't standing by and letting pirates run amok."
Image from Android Central