Android Market Licensing Server Hacked, Google Says “100% Piracy Protection Is Never Possible”

by Gaurav Kheterpal on August 25, 2010

Android may be the most popular mobile operating system of recent times but it certainly doesn’t have the most secure app store licensing scheme. 

Google introduced a new licensing server for Android Market in July to ensure that all apps have been legally purchased (paid) and downloaded (free). However, it seems that the technology giant didn’t really pay enough attention on the security aspects of its licensing protection.

Justin Case of Android Police demonstrates that it’s a piece of cake to bypass the Android Market Licensing Server with a little bit of programming knowledge. As expected, Google begs to differ.

Google says “100% piracy protection is never possible in any system that runs third-party code”. Is that excuse justified for such a crucial loophole? I, for one, don’t think so.

In the past, several security experts and developers have raised concerns regarding Google’s copy protection scheme being vulnerable. Jeff LaMarche, a popular name in the Mac OS world, claims that he can think of “a dozen” ways to defeat Google’s protections.

In this particular incident, Justin Case used the assembler/disassembler suite called “smali/baksmali” to demonstrate how an Android License Verification Library file can be tampered so that it appears as a perfectly valid license. He believes that the problem is severe and “only set to get worse as the platform grows”.

For obvious reasons, Google continues to be in denial mode. In his latest post on Android Developers blog, Tim Bray goes all out to defend the Android Market licensing server with arguments ranging from

* The licensing service is very young

* The first release wasn’t security focused

* Developers are using this sample as-is

* Developers need to obfuscate their code

* 100% piracy protection is never possible in any system that runs third-party code

* Piracy is a bad business to be in (I love this one!)

While all that is good advice, it would have been good to see Google admitting that it screwed up on the Licensing Server. On the contrary, Google is making all possible efforts to wash its hands off the whole issue. Google’s developer documentation states that Android’s licensing system is not a copy protection system and it’s developers responsibility to ensure the safe licensing passage for their apps.

The war of words between Google & Android Police just doesn’t end there. Justin Case posted his take on the response from Tim Bray and even offers suggestions to developers on how they can add another layer of protection to their applications. I dearly wish Mr. Bray & Google had thought of the same.

My advice to Google for Android licensing – “Use protection”, after all it’s “better safe, than sorry” 🙂

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Gaurav Kheterpal. www.digitcom.ca >. Follow TheTelecomBlog.com > by: RSS>, Twitter >, Identi.ca >, or Friendfeed >

Comments on this entry are closed.

Previous post:

Next post: