Google has recently released a licensing service for Android applications that is supposed to make it more difficult to pirate paid apps. The service is not yet part of the operating system and it works by sending a query to Google’s servers in order to determine if the user has bought an application.
Android Police found that it’s quite easy to circumvent Google’s verification, especially if the application’s code is not obfuscated. “Because the License Verification Library is not part of the Android OS, an app developer needs to package it with the app that uses it, making it an easier patch target, without requiring root access. (…) The method is so simple, even a novice programmer could write a script to automatically patch most apps.”
Google’s Tim Bray responded by saying that “the first release shipped with the simplest, most transparent imaginable sample implementation,” which didn’t focus on security. He recommends developers to obfuscate the code and to use other implementations. Tim Bray also says that “the best attack on pirates is to make their work more difficult and expensive, while simultaneously making the legal path to products straightforward, easy, and fast. Piracy is a bad business to be in when the user has a choice between easily purchasing the app and visiting an untrustworthy, black-market site.”
Tim Bray’s answer is ironic, if you think about it. Google’s Android Market lets you install paid applications only if you are in one of the 13 supported countries. The “legal path” is neither “straightforward, easy, or fast” if you don’t live in one of the 13 countries that are supported. Maybe instead of focusing on developing anti-piracy services, Google should add more locations to the paid Android Market.