How to secure my app against piracy

Snake picture Snake · Mar 26, 2012 · Viewed 29.7k times · Source

I am developing an android app and I am planning to publish it (paid app). I have heard that it is very easy to pirate Android apps (much easier than iphone). I was wondering from your experience or what you know, how can increase the security of my app? I know that I can never get it 100% secured but I want to make it harder for people to pirate it or distribute it illegally Any ideas, experiences, comments you can share?

Answer

Phil picture Phil · Mar 26, 2012

I released a free anti-malware app for Android, and making sure nobody hacked it was essential to its success. The biggest threats agains an app on the Android Market include leaked source code, copied/distributed paid apps, and re-keying. I explain each below and way to solve them.

Firstly, this paper describes how to reverse-engineer an Android application by unpacking the compiled code and viewing the source code. You will not be able to block this from happening to your app. Period. Someone with a will can always view your sourcecode if they get a copy of your apk (easily available on a rooted phone). The good news is that you can obfuscate the important pieces of your code making it harder to reverse engineer. Proguard is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. In order to prevent your important code from being read, however, you will need to move all vulnerable methods or variables to a file that is not an Activity, Service, or BroadcastReceiver. For full facts, read the documentation.

To protect agains illegally copy and distribution of your application, Google Play provides some licensing options. Unfortunately, LVL is also not entirely secure. A detailed HOW-TO for how to crack it (pre-Google Play) is available here.

Lastly, the paper linked above, as well as numerous scholarly articles and online blogs describe how, once the source code (or even obfuscated source code) is leaked, once can merely add some of their own, malicious code, resign the app, and publish it on the Android Market. The good news here is that, unless your android license key password is easily guessable, or if you give it out to someone else, the attacker will not be able to publish an application with the same license key. This not only protects you from blame, but it will also make it so that malicious application cannot access data available through your original application (such as SharedPreferences).

All in all, the best way to really secure your application from piracy is to correctly configure and use Proguard, Google Play Licensure, and to sign you final apk with a very secure license key.