Market License - Easy Implementation to Protect Your Apps

[alostpacket]

Also it should be noted this is not a very secure way of using LVL. Google recommends you edit the classes themselves to obfuscate where the calls are made and how the responses are handled. basically changing some of the default values/constants and moving the functions around so it's harder to find where you make the license check.

The system (as it's posted in tutorials) is circumvented by changing one easy-to-find switch statement in the decompiled bytecode.


You then will additionally want to use something like proguard to further obfuscate.

Finally the most secure method would be to then send the response you get from the market app to a server you control in an encrypted and signed format to process the validity of the response.

This makes more sense if your app has assets it uses from the web.

Thwarting pirates is no small task. The question becomes, how much do you want to put into it, and how much do you think you can convert those pirates into customers.

from my experimenting with using LVL it is actually better not to use it at all for my sales. About 60% of my users are using unauthorized versions of my app, all having a much more secure version of the licensing that you see above and obfuscated with pro guard. When I used LVL my return rate was about 40% and without it dropped down to around 20% because the app performed faster and never gave the user a failed license check when it actually was valid (which happens too frequently and confuses users that just purchased the app). My piracy rate did not decline no matter what prevention I used so I figured it was better for my paying customers just to not worry with it.

Thanks for this, I had been wondering myself as to whether to use it. I just got hit with my first pirate attack after having my first paid app out only a 3 weeks (my other app is free with a donate version so no pirates there). So I've been reading a lot about it lately.

I think I'm leaning against using it for the same reasons you state and it's nice to hear opinions of those who have tried it. So thanks for your post

It's hard though -- I have less that 35 purchases and these guys are stealing already. It's pretty hard to stomach as my hope is to pay the rent with app development.

[alostpacket]

I'm not saying I would do this, I'm just wondering if one could over come this by decompiling the dex file with smali and baksmali?
I hope not..

Sent from my Droid using Tapatalk

Yes it's not infallible from what I understand. The idea is to make it so much of a pain as to not be worth the time.

However, using those techniques combined with having your app contact a private server you control with encrypted and signed responses from the license api is supposed to be very difficult to overcome.

This is especially the case if your app requires content from your server. This is because the server can refuse to serve content to the app if it detects problems. This is in contrast to having the content protection in the app itself where the user or a maclious hacker/pirate can modify it.

The old adage in terms of this kind of security is "never trust the client" (ie the App) since it's not under your control.

This is a seriously involved thing to program though. And a lot of effort for people who might not buy your software regardless. For me personally too, my PHP is so rusty I would need a tetanus shot just to get started coding anything server side.

[jeffv2]

I'm not saying I would do this, I'm just wondering if one could over come this by decompiling the dex file with smali and baksmali?
I hope not..

Sent from my Droid using Tapatalk

Yes it's not infallible from what I understand. The idea is to make it so much of a pain as to not be worth the time.

However, using those techniques combined with having your app contact a private server you control with encrypted and signed responses from the license api is supposed to be very difficult to overcome.

This is especially the case if your app requires content from your server. This is because the server can refuse to serve content to the app if it detects problems. This is in contrast to having the content protection in the app itself where the user or a maclious hacker/pirate can modify it.

The old adage in terms of this kind of security is "never trust the client" (ie the App) since it's not under your control.

This is a seriously involved thing to program though. And a lot of effort for people who might not buy your software regardless. For me personally too, my PHP is so rusty I would need a tetanus shot just to get started coding anything server side.

good hopefully at some point we can put an end to pirating apps.... but i doubt it

[gflam]

It was mentioned earlier that you could just work around this by starting another activity in terminal or even some launchers that can just launch different activities however i'm thinking that in my case at least my app uses a list view which is read from my server that if i were to implement this method in that activity then opening any other activity would be pointless since it wouldn't have my server files. Just a thought for anyone whos app that uses stuff from a server