tags:

views:

136

answers:

4
+3  Q: 

Protecting An App For Market

I'm working on my first Android app, and am almost to the point where I can start thinking about putting it up on the market as a paid app.

In the process of researching this step, I found out that it's basically trivial to break Google's copy protection scheme. I don't know how big of a problem this really is, or if we need to look into some other form of protection.

Obviously an obfuscater like ProGuard is a good first step, but how would you go about protecting your application from being released into the wild?

Second, other than encrypting contents (which is difficult because the decryption key has to be stored in the program too) how would you prevent someone from just dumping the contents of a sqlite3 database?

+2  A: 

It sounds like you have two security concerns:

  1. Users copying and distributing your application without paying
  2. Developers decompiling your source code and stealing it for their own applications

Concern #1: Its definitely possible for users to do this. One solution would be to give the app away for free, but disable it until they register on an independent website (where they pay). However, this kind of defeats the purpose of using the market as a convenient way to distribute your app.

Concern #2: This is a problem developing Java applications in general and isn't really specific to Android. As you stated, using an obfuscater is a good start. However, you are always going to be able to decompile Java code, and there really isn't any easy way around this that I know of.

My opinion is that piracy is very difficult to stop if the culprit has enough motivation. However, in general I don't think its a huge concern for Android developers. I know lots of people who wouldn't blink about downloading pirated movies or video games, but pay for all of their mobile applications.

dbyrne  2010-07-28 15:32:56
So is relying on the fact that most of our target demographic is computer illiterate our only option? I'm well aware that there is no such thing as real computer security other than to not use computers, I'm just hoping to find a way that makes it difficult enough to put off some of the people that might want to steal it.
AndyD273  2010-07-28 15:38:00
I prefer to think of it as relying on the fact that most of our target demographic is honest ;)
dbyrne  2010-07-28 15:50:27
This new licensing service sounds promising, although I would have concerns using it in an application that would otherwise not require a network connection.
dbyrne  2010-07-28 15:55:33
Most of the people already don't want to steal it, if it's not credit card details then don't sweat it, if it is then don't store it
Patrick  2010-07-28 15:55:42
@Patrick: Agreed. The more you worry about piracy, the more you risk hurting the experience for your honest customers (see: Ubisoft).
dbyrne  2010-07-28 16:00:26
As I read the new Android Market license agreement, you can't legally distribute a free app that you pay for unlocking on another site. Google requires using their payment providers.
CodeFusionMobile  2010-07-28 17:16:51
I agree that most of our customers are probably honest, its more that the data in this app is one of the big revenue sources for us, and so I have to be able to assure my boss that it won't get away without reasonable difficulty.Considering that up to this point our customers could have just run the print version through a copy machine, I suppose I don't really have much to worry about.
AndyD273  2010-07-28 19:22:25
@dbyrne: Agreed. That's the scenario that I'm trying to avoid. That's part of the reason I don't really want to have the data all online, slows it down to much...
AndyD273  2010-07-28 21:05:57
A: 
  1. Don't use sqlite. Use your own custom format. That's not unbreakable, but will definitely make it harder to extract data
  2. Just don't keep your sensitive data at customer device. Keep it in Internet on your own server. And make your app just as a "thin" client to your server-side data/app.

For now 90% of devices have Internet connectivity for 90% of their running time. You should consider the importance of your data and either choose to keep it always server-side, requiring Internet connection, or keep it at client-side, making it vulnerable.

zed_0xff  2010-07-28 15:36:14
Hmm, not sure how to go about making my own custom format... the DB has a dozen tables, and several thousand records... Keeping it responsive while searching through flat files would be rough.I've considered number 2, and while not a bad idea, it seems like speed could be an issue again, esp if drilling down several levels, and having to wait a second for a response each time.
AndyD273  2010-07-28 16:00:28
to solve connection delays you could use either your custom binary protocol and always keep the socket connected, or find a way how to do that with Android internal HTTP Client. Anyway, persistent connections is a key.
zed_0xff  2010-07-28 16:07:06
+1  A: 

Everything is about to change: http://www.itproportal.com/portal/news/article/2010/7/28/google-add-licensing-service-android-apps/

Patrick  2010-07-28 15:36:41
+4  A: 

Just today Google released details of the new licensing service which is intended to replace copy protection. See here for details: http://developer.android.com/guide/publishing/licensing.html

oli  2010-07-28 15:37:05
This is good news.
AndyD273  2010-07-28 19:13:51

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security