It has come to my attention Titanium Backup can back up a paid app on one device, then you can copy the backup to another device (with a different Google account), and the licensing will report the app as licensed.
I have done some experiments, and it is actually receiving a licensed (and fully signed) response, which must be from Google as the RSA decrypting and sig are correct. How can a device possibly be getting a valid license response from Google when the user has not purchased the app, surely this has to be a secure connection? I have made my apps very hard hack, but it seems to me this is impossible to defend against and something is fundamentally broken. Can anyone shed any light on this? Thanks. Extra info: It stores this data in the backup, I believe it is using something in here to achieve this, probably the market.* stuff market.persistent_flags=0 market.auto_update=1 app_version_code=21 sys_ro.product.model=NP81QC market.first_download_ms=1408825186048 market.app_certificate_hash=JagmoIKFFiaeMXFmG1PTVsOnk3E market.delivery_data_timestamp_ms=1408825182372 market.last_notified_version=21 has_prefsdata=0 market.last_update_timestamp_ms=1408825226856 market.doc_type=1 app_gui_label=XXXXX sys_ro.build.version.release=4.2.2 market.external_referrer_timestamp_ms=0 app_apk_md5=29ef4bb072f118e2ee7f5a6cea3c3619 market.auto_acquire_tags= market.installer_state=0 market.document_hash=-4760422619376469620 market.continue_url= market.download_uri= app_is_forward_locked=0 market.desired_version=-1 app_label=XXXXXX market.referrer= market.account=XXXXXX market.flags=0 market.title=XXXX generation=1 sys_ro.build.date.utc=1381291679 market.package_name=XXXXX market.offer_type=1 has_prefsdata_jpu=0 sys_ro.serialno=JWKS2EBU8V sys_ro.build.description=rk30sdk-eng 4.2.2 JDQ39 eng.wengbj.20131009.120706 test-keys market.permissions_version=1 market=1 app_apk_codec=GZIP app_is_system=0 app_version_name=3.1 market.account_for_update= -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
