Android software piracy rampant despite Google’s efforts to curb

Android’s growing success as a smartphone operating system is bringing a long-simmering problem to light

Android’s growing success as a smartphone operating system is bringing a long-simmering problem to light: A lot of Android applications are being pirated. The openness of the platform has made it easy for people to steal applications without paying for them.

Until very recently, it was easy to strip rudimentary copy protection from applications offered on the Android Market Web site, and then use, offer or even sell the software as your own. The problem isn’t new, and Google has taken much more aggressive steps in 2010 to make it harder to pirate Android apps.

Google defends Android Market license server, despite reported hack

But the growing popularity of the OS with enterprise users and developers is creating greater urgency, as pirated code robs developers of revenue and the incentive to remain committed Android. (See Android Set to Rule Over Apple and RIM Operating Systems.)

Network World’s Android Angle blogger, Mark Murphy, bluntly noted a year ago that “Right now, it is very straightforward — if you publish on Android Market, your application will be made available for free download outside of the Market.” He added, “This is part and parcel of having an open environment like Android.” The then-current Android Market copy protection mechanisms “have been demonstrated to be ineffective.”

One Android developer, with the handle Chimaera, reported his first app was pirated within a month, and the pirates’ download statistics were more impressive than his own. The crowning indignity: Trying to get file servers to remove the pirated software was frustratingly complicated. “They made you feel as [if] you are the offender,” he wrote.

What’s especially galling to professional developers is watching sales plunge as piracy rates soar. “The current issue we face with Android is rampant piracy, and we’re working to provide hacking counter measures, a difficult task,” says Jean Gareau, founder of VidaOne, an Austin, Texas, software company that specializes in health and fitness applications for a variety of operating systems.

One developer, “Dave,” of KeyesLabs, argued in an online forum that a “culture of cheating” was developing around the OS.

KeyesLabs created a Android utility called Screebl. In a recent blog post, the company reported: “Over time … we began to notice a dramatic increase in the number of pirated versions of Screebl Pro, accompanied by a decrease in sales. Lately our piracy rates have spiked as high as 90% on some days.” In some cases, it took only minutes after a new version was posted for pirated code to appear.

KeyesLabs created its own licensing protection, called Automatic Application Licensing (AAL), and began bundling it with Screebl Pro. “The purpose of AAL is to allow painless verification that the user of Screebl Pro actually purchased the app from the Android Market. We've taken this step to attempt to put a stop to the insane levels of piracy that Screebl has seen, and so far, things seem to be working out nicely.”

Some have argued that piracy is rampant in those countries where the online Android Market is not yet available. But a recent KeyesLabs research project suggests that may not be true. KeyesLabs created a rough methodology to track total downloads of its apps, determine which ones were pirated, and the location of the end users. The results were posted in August, along with a “heat map” showing pirate activity.

“Over the course of 90 days, the app was installed a total of 8,659 times. Of those installations only 2,831 were legitimate purchases, representing an overall piracy rate of over 67%. For my app, the largest contributor to piracy, by far, is the United States providing 4,054 or about 70% of all pirated installations of Screebl Pro.” The company concluded that of the nearly 6,000 pirated downloads, only 14% were from countries lacking access to the Android Market.

In July 2010, Google announced the Google Licensing Service, available via Android Market. Applications can include the new License Verification Library (LVL). “At run time, with the inclusion of a set of libraries provided by us, your application can query the Android Market licensing server to determine the license status of your users,” according to a blog post by Android engineer Eric Chu. “It returns information on whether your users are authorized to use the app based on stored sales records.”

It was a well-received start to securing applications, but there’s still a long way to go.

“Google is well aware of the issue and has released some feature (licensing validation), but they can easily be broken because basically, a hacker can obtain an application source code (i.e. reverse-engineering), something that cannot be done on the iPhone or Windows Mobile for instance,” says VidaOne’s Gareau.

Justin Case, at the Android Police Web site, dissected the LVL. “A minor patch to an application employing this official, Google-recommended protection system will render it completely worthless,” he concluded.

In response, Google has promised continued improvements and outlined a multipronged strategy around the new licensing service to make piracy much harder. “A determined attacker who’s willing to disassemble and reassemble code can eventually hack around the service,” acknowledged Android engineer Trevor Johns in a recent blog post.

But developers can make their work much harder by combining a cluster of techniques, he counsels: obfuscating code, modifying the licensing library to protect against common cracking techniques, designing the app to be tamper-resistant, and offloading license validation to a trusted server.

Gareau isn’t quite as convinced of the benefits of code obfuscation, though he does make use of it. He’s taken several other steps to protect his software work. One is providing a free trial version, which allows only a limited amount of data but is otherwise fully-featured. The idea: Let customers prove that the app will do everything they want, and they may be more willing to pay for it. He also provides a way to detect whether the app has been tampered with, for example, by removing the licensing checks. If yes, the app can be structured to stop working or behave erratically.

Other steps: implement the Google Java licensing scheme for apps sold on Android Market, so that people who requested and received a refund on a purchased app cannot still use the code; and using an alternative resale channel, such as www.handango.com, in locations where Android Market is not yet available.

“This is not a silver bullet, but it goes a long way to help prevent piracy,” Gareau says.

John Cox covers wireless networking and mobile computing for Network World.Twitter: http://twitter.com/johnwcoxnwwEmail: john_cox@nww.comBlog RSS feed: http://www.networkworld.com/community/blog/2989/feed

Read more about anti-malware in Network World's Anti-malware section.

Join the PC World newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsGoogleNetworkingsecuritywirelesssmartphonesPhonesmobile apps

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Cox

Network World
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?