On Wed, Jan 16, 2013 at 4:00 AM, btschumy <b...@otherwise.com> wrote: > On Monday, January 14, 2013 7:05:37 PM UTC-7, Nikolay Elenkov wrote: > >> >> This is not particularly reliable: if I repackage your app, I can >> change whatever >> 'internal' values you have. > > > Perhaps I'm wrong, but a cracker shouldn't be able to modify the code and > re-sign it with our signature. If that is possible it defeats the whole > purpose of digital signatures, right? >
You are mostly right. However, they don't have to sign with your key, just any valid key. The signature/certificate only matters if you are updating an app. If it is a new install (e.g., download paid app from an all-you-can-eat site) anything goes. The usual way to crack these things is unpackage, decompile, disable licensing checks, etc., repackage, sign. Your own signature/certificate is usually quite irrelevant. >> >> Additionally, some tools will patch stuff >> in dalivk-cache > > > I'm not sure I understand what you mean. Are you saying at runtime they can > patch it with a special loader? If so, sure. However, I doubt this would > lead to widespread piracy. > Google 'android lucky patcher'. >> >> without ever touching your apk. And, of course, it can be pirated without >> being >> repackaged. > > > We are also using Google's LVL so I don't see how the app is going to be > pirated without modification and repackaging. > That would help somewhat yet. But that again is quite easy to strip out. Google 'android antilvl'. If it fails with your apk, you should be mostly OK. See other replies as well. antilvl (and similar) tools automate the static analysis part to a certain extent: they look for system API commonly used to implement licensing and anit-tampering code and swap them right out with their own version which always returns true, etc. To sum up: if most popular tools fail to patch your app automatically and your using some sort of online license verification (such as LVL), you should be mostly OK. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
