Altering the key length isn't a problem. The export restrictions would apply to Android (which provides the crypto routines as part of the framework), and the key strength currently used is supported by G1s' in the US and UK.
If it is possible to decompile the dex find and remove any and all license checks and then recompile then an attacker would need to do it for each release of each app they wanted to crack. Although this isn't impossible, the level of effort required is pretty significant. Al. --- * Written an Android App? - List it at http://andappstore.com/ * ====== Funky Android Limited is registered in England & Wales with the company number 6741909. The registered head office is Kemp House, 152-160 City Road, London, EC1V 2NX, UK. The views expressed in this email are those of the author and not necessarily those of Funky Android Limited, it's associates, or it's subsidiaries. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Stoyan Damov Sent: 31 March 2009 14:04 To: [email protected] Subject: [android-discuss] Re: Piracy and app "protection" Indeed, Al's protection scheme works. I have just 2 issues with it: 1. Key length should be configurable, depending on the country at which the app would be used, right? AFAIK strong key encryption is not allowed outside the US (or at least in some countries), but I might be wrong. 2. I've seen some links on the web where people reverse engineer the dex format (probably not fully). I know it's closed source (or is it?) but if someone reverse engineers it fully then there's no protection whatsoever -- I'll just get the java code, and even if it's obfuscated I can remove the single "if" statement in the protection code, recompile, sign with my key and redistribute the new .apk for free. I hope this won't happen, but who knows. Cheers On Tue, Mar 31, 2009 at 4:00 PM, Jean-Baptiste Queru <[email protected]> wrote: > > It looks like you have quite some bases covered. > > I think there'd be definite value for Android as a whole if the > different app stores that move in that direction could adopt a common > API for such a mechanism. Added bonus for SDK integration. > > Beyond that I have no visibility into Google's plan for such a scheme on Market. > > JBQ > > On Tue, Mar 31, 2009 at 5:06 AM, Al Sutton <[email protected]> wrote: >> >> Out of interest what do people think of the AndAppStore scheme at >> http://andappstore.com/AndroidPhoneApplications/licensing.jsp ? >> >> I'd happily work with the Google guys to get either this, or a >> similar scheme integrated with Market to offer a higher level of >> protection against the apps being run by unauthorised accounts. >> >> I also think that protecting the APK file isn't the answer. Hence why >> the AndAppStore scheme focuses on runtime protection as opposed to >> file protection. >> >> Al. >> >> --- >> >> * Written an Android App? - List it at http://andappstore.com/ * >> >> ====== >> Funky Android Limited is registered in England & Wales with the >> company number 6741909. The registered head office is Kemp House, >> 152-160 City Road, London, EC1V 2NX, UK. >> >> The views expressed in this email are those of the author and not >> necessarily those of Funky Android Limited, it's associates, or it's >> subsidiaries. >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Stoyan Damov >> Sent: 31 March 2009 13:02 >> To: [email protected] >> Subject: [android-discuss] Piracy and app "protection" >> >> >> Is Google working on a better protection scheme? I googled for my >> game today (to see whether it's being pirated) and immediately found it on rapidshare. >> I did report the abusing referral link but can't report for other guys' >> apps. >> >> BTW, guys, I've found *many* games on many websites... >> >> P.S. I didn't bother to protect my game because anyone with a rooted >> phone can pull the game out of his device and there are quite a lot of them. >> >> Cheers >> >> >> >> >> > >> > > > > -- > Jean-Baptiste M. "JBQ" Queru > Android Engineer, Google. > > Questions sent directly to me that have no reason for being private > will likely get ignored or forwarded to a public forum with no further > warning. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
