Android antipiracy cracked, Google says devs used it wrong

In response to growing concerns among third-party developers about Android application piracy, Google recently released a new framework called the License Verification Library (LVL). It is intended to make it easier for Android applications to verify that the user is authorized to run the software. The framework is still at an early stage of development, however, and has already been shown to be susceptible to a trivially simple attack.

The LVL is technically not part of the actual Android operating system--developers who want to use the framework compile the library into their own applications. The standard verification implementation offered with the framework relies on a validation service operated by Google that integrates with the Android market, but developers can modify the library to make it use alternate verification methods.

In a report published by the Android Police blog, third-party Android application developer Justin Case explained how pirates can circumvent the LVL protection mechanism by using a simple decompilation tool. He says that applications using LVL can be disassembled and patched to make them consistently appear to have passed the validation check. Once patched, users can simply sideload the application package onto an Android device and use it without paying. Users don't even need to root their devices in order to run the pirated software.

He believes that it would be possible to build a tool that can automatically patch applications that use LVL, rendering the system ineffective. Despite the weaknesses of LVL, he acknowledges that it is an improvement over previous antipiracy systems for Android software and is currently the best solution available for the platform.

Ars Video

Google Android evangelist Tim Bray responded to Case's concerns in a post on Google's official Android blog. He says that the sample verification code supplied with the LVL framework wasn't really intended to be used unmodified. Because it was created to demonstrate how to use the framework, it was deliberately written with an emphasis on simplicity rather than robustness. Bray also contends that the sample applications compromised by Case didn't use robust code obfuscation, which would have made it considerably more difficult to compromise the software.

"The licensing service provides infrastructure that developers can use to write custom authentication checks for each of their applications. The first release shipped with the simplest, most transparent imaginable sample implementation, which was written to be easy to understand and modify, rather than security-focused," Bray wrote. "Some developers are using this sample as-is, which makes their applications easier to attack. The attacks we’ve seen so far are also all on applications that have neglected to obfuscate their code, a practice that we strongly recommend. We’ll be publishing detailed instructions for developers on how to do this."

Bray's points suggest that LVL offers more effective protection when it is used properly and developers don't just copy and paste Google's contrived example validation code, but he also acknowledged that the framework is not mature yet and still has room for improvement.

In a follow-up post, Case concurs with Bray's argument that improper use of LVL by developers is partly responsible for the ease with which some applications using the framework can be compromised. He doesn't share Bray's view of obfuscation, however. His opinion is that "automatic obfuscation does not do much to hinder a would-be cracker." Case believes that Google's anti-piracy mechanism would be more reliable if there was a way for the platform to detect if an application has been modified or patched.

Bray and Case both seem to agree that it will probably never be possible to completely safeguard Android applications from piracy. Google is developing LVL as part of a more holistic piracy mitigation strategy that focuses largely on making legitimate distribution channels a more appealing way for regular end users to obtain software.