Monday, August 23, 2010

Android app licensing cracked in less than a month!!

There has been some concern about smartphone apps in recent weeks after a malware app worked its way into the Android store that sent premium-rate text messages to make money for criminals.  What’s more the BBC demonstrated a proof-of-concept Java app that seemed to be a simple game of noughts and crosses, but was copying contacts and emails in the background.

A spokesperson for Google told the BBC about the malware app…

“Google has a system in place that can revoke malicious applications and stop them running on handsets.  Our application permissions model protects against this type of threat.  When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a user’s phone number or sending an SMS.  Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time.  The spokesperson said the firm advises users to “only install apps they trust”.

In response to developers’ complaints of unauthorized usage of their wares, Google has set up a licensing service, by which – via a set of libraries – an application can hit Google’s server, which stores sales records. Every time an app with this protection is launched, it checks with Google to be sure the copy is legit.

The new system was to replace the old copy protection method within few months, and were considered to be more secure and less problematic. 

Now, NeoWin is reporting that the new licensing scheme for Android apps has been cracked less than a month after coming on-line!!!

The “Licensing Service for Android applications” was supposed to provide developers a “secure mechanism to manage access to all Android Market paid applications.”  In theory, the new licensing system would verify against the Android Market licensing server, which would in turn verify the application against existing sales records. If no sales records were found, the application would show an error explaining that it was not properly licensed.

The man responsible for cracking the security has published a paper on his website in which he details how to reprogram a Java app, which is the language most Android apps are written in, to change its status from unlicensed to licensed.

He says…

I am very much against piracy, and very much pro-Google. I have spent more time researching copy protection for my applications than development of the applications themselves.  Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution. By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts.

He also provides a video demonstrating his findings.  Google have not yet commented on the crack.

No comments:

Post a Comment