Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
We have a pretty good system of fraud prevention. It's either working 100% or is totally flawed as I've never detected a single incident of piracy. Our zero piracy rate may also be due to the nature of the app: Freemium in the weather category. Pretty boring. -John Coryat -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Just for the fun of it, I've read all the answers here. And Rob H. is the one deserving my +1 ;) Still, the idea of your solution is good, but it is even easier to pirate your app. This is because the in-app purchase system is flawed an has already been broken. It is enough for any user to have a well-known app installed (not going to tell you it's name here though), which emulates the Google Play Store. When a user touches to purchase more levels, he will pay $0.00 in the emulated store, and the store will report back success in your app, which will start downloading from your server. Now to counter this, your server will have to check with Google Play if there really has been a purchase from that user before you provide the downloadable content. This is one extra step, but really an essential one. If your app gets really successful, somebody will write an emulator of your server, and again it was all for nothing. So, basic point taken here for anybody who reads this: Don't waste your time on copy-protection. Have a free, ad-supported version in the store so user's won't have to start looking for pirated versions. And be happy if people start pirating and distributing your app, as this will get your app even more popular. And don't sue the pirates. Microsoft did that with Windows XP. Made many poor people pay a lot of money and resulted in bad PR for MS, so they stopped that. MS is successful because so many people want to use their stuff, not because they are so successful in conquering pirates. Am Donnerstag, 7. Februar 2013 18:55:42 UTC+1 schrieb Rob H: I think if you're interested in protecting your app from piracy the best way to do it is via the in-app purchase system. If you're making a game, put it up there with level 1 for free. Thousands of people will check it out. If they want to continue on to the other levels, well here's an in-app store where you can decide how much you want to pay for the app (the more you pay the more content you get). Then you make your content DOWNLOADED from your server, not from unlocking something in your existing APK file. This combined with a system that communicates with your server similar to the iOS receipt auditing system means that a user is only going to get the downloaded content if they go through the purchase process. Yes, pirates could buy everything on one device, then bundle all that content up and modify your APK to say that all the content is unlocked, however the work involved makes this highly impractical. They're only going to do it if your game is so popular that everyone wants it badly, and in that case you'll be making enough money where piracy almost becomes a positive thing for you because it helps get the game in people's hands and at this point your game is so good more people seeing it means more people buying it. -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
don't have a paid version of your app in the market is a non solution: ad supported apps don't make real money for the mid range developers (with the top 1-2% of app developers perhaps being able make a modest profit). I know of at least one study to show users actually end up paying a good amount for apps if you factor in other costs: battery life, data connectivity, the possible cost of your private information being sold, etc... This is not to say ads are bad, but it's unrealistic to think that you're actually going to make a real profit from a solely ad supported app. Generally you will make a free version with ads, and an upgraded pro version with more features. What happens when someone cracks this version and puts it on the market? For the real developer (someone who cares about their profits, and isn't just making an app for run, collecting a little bit of ad revenue for giggles) app cracking is a concern. Educating yourself on the different ways it can be done would be good knowledge to have. (FYI, there are automated tools today that crack apps doing all sorts of crazy things like disassembling and rewriting your bytecode to remove licensing checks, etc...) kris On Sat, Feb 9, 2013 at 11:38 AM, Anton Kaiser i...@anton-kaiser.de wrote: Just for the fun of it, I've read all the answers here. And Rob H. is the one deserving my +1 ;) Still, the idea of your solution is good, but it is even easier to pirate your app. This is because the in-app purchase system is flawed an has already been broken. It is enough for any user to have a well-known app installed (not going to tell you it's name here though), which emulates the Google Play Store. When a user touches to purchase more levels, he will pay $0.00 in the emulated store, and the store will report back success in your app, which will start downloading from your server. Now to counter this, your server will have to check with Google Play if there really has been a purchase from that user before you provide the downloadable content. This is one extra step, but really an essential one. If your app gets really successful, somebody will write an emulator of your server, and again it was all for nothing. So, basic point taken here for anybody who reads this: Don't waste your time on copy-protection. Have a free, ad-supported version in the store so user's won't have to start looking for pirated versions. And be happy if people start pirating and distributing your app, as this will get your app even more popular. And don't sue the pirates. Microsoft did that with Windows XP. Made many poor people pay a lot of money and resulted in bad PR for MS, so they stopped that. MS is successful because so many people want to use their stuff, not because they are so successful in conquering pirates. Am Donnerstag, 7. Februar 2013 18:55:42 UTC+1 schrieb Rob H: I think if you're interested in protecting your app from piracy the best way to do it is via the in-app purchase system. If you're making a game, put it up there with level 1 for free. Thousands of people will check it out. If they want to continue on to the other levels, well here's an in-app store where you can decide how much you want to pay for the app (the more you pay the more content you get). Then you make your content DOWNLOADED from your server, not from unlocking something in your existing APK file. This combined with a system that communicates with your server similar to the iOS receipt auditing system means that a user is only going to get the downloaded content if they go through the purchase process. Yes, pirates could buy everything on one device, then bundle all that content up and modify your APK to say that all the content is unlocked, however the work involved makes this highly impractical. They're only going to do it if your game is so popular that everyone wants it badly, and in that case you'll be making enough money where piracy almost becomes a positive thing for you because it helps get the game in people's hands and at this point your game is so good more people seeing it means more people buying it. -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Yeah your right, my post might have sounded like just do ad-based free apps, but I never meant to say you shall not have a paid version (that was why I used the word version). My key point is that you reduce the users motivation to look for pirated versions if you have a free add supported version (maybe even with less features) available for a one-click download in the store. In addition to any app that offers ads and is in turn free, there must be a paid app for users who hate ads (and who want to support the development, but those are rare). Although I still wonder why someone in this thread said he could make a living off his ad-based app... Am Samstag, 9. Februar 2013 19:44:42 UTC+1 schrieb Kristopher Micinski: don't have a paid version of your app in the market is a non solution: ad supported apps don't make real money for the mid range developers (with the top 1-2% of app developers perhaps being able make a modest profit). I know of at least one study to show users actually end up paying a good amount for apps if you factor in other costs: battery life, data connectivity, the possible cost of your private information being sold, etc... This is not to say ads are bad, but it's unrealistic to think that you're actually going to make a real profit from a solely ad supported app. Generally you will make a free version with ads, and an upgraded pro version with more features. What happens when someone cracks this version and puts it on the market? For the real developer (someone who cares about their profits, and isn't just making an app for run, collecting a little bit of ad revenue for giggles) app cracking is a concern. Educating yourself on the different ways it can be done would be good knowledge to have. (FYI, there are automated tools today that crack apps doing all sorts of crazy things like disassembling and rewriting your bytecode to remove licensing checks, etc...) kris On Sat, Feb 9, 2013 at 11:38 AM, Anton Kaiser in...@anton-kaiser.dejavascript: wrote: Just for the fun of it, I've read all the answers here. And Rob H. is the one deserving my +1 ;) Still, the idea of your solution is good, but it is even easier to pirate your app. This is because the in-app purchase system is flawed an has already been broken. It is enough for any user to have a well-known app installed (not going to tell you it's name here though), which emulates the Google Play Store. When a user touches to purchase more levels, he will pay $0.00 in the emulated store, and the store will report back success in your app, which will start downloading from your server. Now to counter this, your server will have to check with Google Play if there really has been a purchase from that user before you provide the downloadable content. This is one extra step, but really an essential one. If your app gets really successful, somebody will write an emulator of your server, and again it was all for nothing. So, basic point taken here for anybody who reads this: Don't waste your time on copy-protection. Have a free, ad-supported version in the store so user's won't have to start looking for pirated versions. And be happy if people start pirating and distributing your app, as this will get your app even more popular. And don't sue the pirates. Microsoft did that with Windows XP. Made many poor people pay a lot of money and resulted in bad PR for MS, so they stopped that. MS is successful because so many people want to use their stuff, not because they are so successful in conquering pirates. Am Donnerstag, 7. Februar 2013 18:55:42 UTC+1 schrieb Rob H: I think if you're interested in protecting your app from piracy the best way to do it is via the in-app purchase system. If you're making a game, put it up there with level 1 for free. Thousands of people will check it out. If they want to continue on to the other levels, well here's an in-app store where you can decide how much you want to pay for the app (the more you pay the more content you get). Then you make your content DOWNLOADED from your server, not from unlocking something in your existing APK file. This combined with a system that communicates with your server similar to the iOS receipt auditing system means that a user is only going to get the downloaded content if they go through the purchase process. Yes, pirates could buy everything on one device, then bundle all that content up and modify your APK to say that all the content is unlocked, however the work involved makes this highly impractical. They're only going to do it if your game is so popular that everyone wants it badly, and in that case you'll be making enough money where piracy almost becomes a positive thing for you because it helps get the game in people's hands and
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I think the point is that there's no way to stop pirates (0% piracy of apps will never happen in this universe)- it's all about finding a balance between user frustration and developer protection. 100% developer protection = forcing users to submit to total background checks showing up at their house before having them buy an app 0% developer protection = $0 Obviously we need to find a balance, but it's unclear where that equilibrium point is right now. Someone should do a study on that. On Saturday, February 9, 2013 10:44:42 AM UTC-8, Kristopher Micinski wrote: don't have a paid version of your app in the market is a non solution: ad supported apps don't make real money for the mid range developers (with the top 1-2% of app developers perhaps being able make a modest profit). I know of at least one study to show users actually end up paying a good amount for apps if you factor in other costs: battery life, data connectivity, the possible cost of your private information being sold, etc... This is not to say ads are bad, but it's unrealistic to think that you're actually going to make a real profit from a solely ad supported app. Generally you will make a free version with ads, and an upgraded pro version with more features. What happens when someone cracks this version and puts it on the market? For the real developer (someone who cares about their profits, and isn't just making an app for run, collecting a little bit of ad revenue for giggles) app cracking is a concern. Educating yourself on the different ways it can be done would be good knowledge to have. (FYI, there are automated tools today that crack apps doing all sorts of crazy things like disassembling and rewriting your bytecode to remove licensing checks, etc...) kris On Sat, Feb 9, 2013 at 11:38 AM, Anton Kaiser in...@anton-kaiser.dejavascript: wrote: Just for the fun of it, I've read all the answers here. And Rob H. is the one deserving my +1 ;) Still, the idea of your solution is good, but it is even easier to pirate your app. This is because the in-app purchase system is flawed an has already been broken. It is enough for any user to have a well-known app installed (not going to tell you it's name here though), which emulates the Google Play Store. When a user touches to purchase more levels, he will pay $0.00 in the emulated store, and the store will report back success in your app, which will start downloading from your server. Now to counter this, your server will have to check with Google Play if there really has been a purchase from that user before you provide the downloadable content. This is one extra step, but really an essential one. If your app gets really successful, somebody will write an emulator of your server, and again it was all for nothing. So, basic point taken here for anybody who reads this: Don't waste your time on copy-protection. Have a free, ad-supported version in the store so user's won't have to start looking for pirated versions. And be happy if people start pirating and distributing your app, as this will get your app even more popular. And don't sue the pirates. Microsoft did that with Windows XP. Made many poor people pay a lot of money and resulted in bad PR for MS, so they stopped that. MS is successful because so many people want to use their stuff, not because they are so successful in conquering pirates. Am Donnerstag, 7. Februar 2013 18:55:42 UTC+1 schrieb Rob H: I think if you're interested in protecting your app from piracy the best way to do it is via the in-app purchase system. If you're making a game, put it up there with level 1 for free. Thousands of people will check it out. If they want to continue on to the other levels, well here's an in-app store where you can decide how much you want to pay for the app (the more you pay the more content you get). Then you make your content DOWNLOADED from your server, not from unlocking something in your existing APK file. This combined with a system that communicates with your server similar to the iOS receipt auditing system means that a user is only going to get the downloaded content if they go through the purchase process. Yes, pirates could buy everything on one device, then bundle all that content up and modify your APK to say that all the content is unlocked, however the work involved makes this highly impractical. They're only going to do it if your game is so popular that everyone wants it badly, and in that case you'll be making enough money where piracy almost becomes a positive thing for you because it helps get the game in people's hands and at this point your game is so good more people seeing it means more people buying it. -- -- You received this message because you are subscribed
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
My take on things is that the less you piss off your users, the better. Unfortunately, Google's default licensing mechanism is not only cracked in 5 seconds, but it also pisses off users if they try to use your app outside of a network connection. You can still stay with Google's method, but you'll need to do some customization and ensure that any roadblocks you put in place for piracy do not have the side effect of pissing off the people actually paying for your app. P.S. was it really worth digging up an old thread just to complain about someone's spelling? On Friday, January 25, 2013 1:27:20 PM UTC-5, JackN wrote: We can tell you're new to development, and spelling too. On Wednesday, July 22, 2009 10:28:50 AM UTC-7, astrocogz wrote: I'm new to this whole thing about being a developer but, if you think making your app hack safe and, your app's are not going to lose you your user base. Then say a hello to the new world order of android. Stop bitching and think of it as contributing to your community. I don't steel but I don't look a gift horse in the mouth either so shut up and programme like your told and stop helping to force the world in to a new world police globe or pay the hundred and move to iphone. -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I think if you're interested in protecting your app from piracy the best way to do it is via the in-app purchase system. If you're making a game, put it up there with level 1 for free. Thousands of people will check it out. If they want to continue on to the other levels, well here's an in-app store where you can decide how much you want to pay for the app (the more you pay the more content you get). Then you make your content DOWNLOADED from your server, not from unlocking something in your existing APK file. This combined with a system that communicates with your server similar to the iOS receipt auditing system means that a user is only going to get the downloaded content if they go through the purchase process. Yes, pirates could buy everything on one device, then bundle all that content up and modify your APK to say that all the content is unlocked, however the work involved makes this highly impractical. They're only going to do it if your game is so popular that everyone wants it badly, and in that case you'll be making enough money where piracy almost becomes a positive thing for you because it helps get the game in people's hands and at this point your game is so good more people seeing it means more people buying it. -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I have had a read of this thread and have come to the conclusion that the best method could be to offer a freely distributable demo version for download on the Android market so people can try out your game. Then if they like it enough to buy the full version they DO NOT purchase through the flawed Android Play Store with its 30% cut to Google. Instead they are directed to pay via PayPal to the developer directly and they receive an emailed copy of the APK file along with a unique keyfile or something like that. Then on startup of the App it checks for invalid keyfiles online against the one installed and refuses to run if its known to be pirated. Maybe also add in a username and password to login to the game. You would just have to keep check of all the users email address etc to email them an updated APK. Just a small thought. Steve -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
You could do that but you'd be in violation of the Google Play developer's agreement: 3. Pricing and Payments. However, if you want to collect fees after the free trial expires, you must collect all fees for the full version of the Product through the Payment Processor on the Market. https://play.google.com/intl/ALL_us/about/developer-distribution-agreement.html -John Coryat On Wednesday, February 6, 2013 7:06:10 AM UTC-6, reaktor24 wrote: I have had a read of this thread and have come to the conclusion that the best method could be to offer a freely distributable demo version for download on the Android market so people can try out your game. Then if they like it enough to buy the full version they DO NOT purchase through the flawed Android Play Store with its 30% cut to Google. Instead they are directed to pay via PayPal to the developer directly and they receive an emailed copy of the APK file along with a unique keyfile or something like that. Then on startup of the App it checks for invalid keyfiles online against the one installed and refuses to run if its known to be pirated. Maybe also add in a username and password to login to the game. You would just have to keep check of all the users email address etc to email them an updated APK. Just a small thought. Steve -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
And on top of that: 1. You're going to have a small nightmare if you want to roll out updates to your customers. You certainly wouldn't want to do that by email. A customer's email box quota could have been reached, the attached APK could be too big for the email provider... and it's just a PITA to do. 2. You would alienate customers who are not tech-savvy (aka majority of customers) by requiring them to install / copy over a key file. Heck, there are even some phones from some cell phone networks that are so crippled that you cannot easily access its external storage via USB (you can only browse pictures and videos). 3. You would require that users switch on unknown non-market sources in the device settings. If that setting is available at all because some cell phone networks remove that feature from their phones. On Wednesday, February 6, 2013 7:13:17 AM UTC-6, John Coryat wrote: You could do that but you'd be in violation of the Google Play developer's agreement: 3. Pricing and Payments. However, if you want to collect fees after the free trial expires, you must collect all fees for the full version of the Product through the Payment Processor on the Market. https://play.google.com/intl/ALL_us/about/developer-distribution-agreement.html -John Coryat On Wednesday, February 6, 2013 7:06:10 AM UTC-6, reaktor24 wrote: I have had a read of this thread and have come to the conclusion that the best method could be to offer a freely distributable demo version for download on the Android market so people can try out your game. Then if they like it enough to buy the full version they DO NOT purchase through the flawed Android Play Store with its 30% cut to Google. Instead they are directed to pay via PayPal to the developer directly and they receive an emailed copy of the APK file along with a unique keyfile or something like that. Then on startup of the App it checks for invalid keyfiles online against the one installed and refuses to run if its known to be pirated. Maybe also add in a username and password to login to the game. You would just have to keep check of all the users email address etc to email them an updated APK. Just a small thought. Steve -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups Android Developers group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
We can tell you're new to development, and spelling too. On Wednesday, July 22, 2009 10:28:50 AM UTC-7, astrocogz wrote: I'm new to this whole thing about being a developer but, if you think making your app hack safe and, your app's are not going to lose you your user base. Then say a hello to the new world order of android. Stop bitching and think of it as contributing to your community. I don't steel but I don't look a gift horse in the mouth either so shut up and programme like your told and stop helping to force the world in to a new world police globe or pay the hundred and move to iphone. -- -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
On Friday 24 July 2009 20:16:41 Juan Hernandez wrote: How can you guys even use the term software piracy and propose the dead on arrival DRM and use Linux as a platform? it's because of people like you that the industry is driven by crappy corporations. Shame on you. Go and develop something on Windows CE or the iPhone. I agree! Go already. Here you are on a list serve cherry picking free information from the community and all you can talk about is how to lock people out from your harvest. Shame indeed. On Sat, Jul 25, 2009 at 10:07 PM, coolbho3k mike.g.hu...@gmail.com wrote: Any DRM should be programmed in the NDK - Dalvik bytecode is too easy to modify when disassembled. On Jul 22, 9:30 am, Moto medicalsou...@gmail.com wrote: Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... So I want the help from all developers, we need to come up with something to make this at least harder to distribute. 1. Can we use phone numbers to register the application? And if illegally installed we got a phone number to use so pursue the pirate...? 2. Do we have access to the phones unique ID? This could be used to track who is using the application... How many illegal copies are runnning... There are ideas I have but will just go against the user friendliness ways of Android Please provide your ideas... thanks! -Moto! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Cédric Berger wrote: On Sat, Jul 25, 2009 at 00:41, Brian Conradbrianjto...@gmail.com wrote: I've had unlockable trial versions of software and versions which were crippled demos. The crackers eventually broke or created keygens for the unlockable versions. But they never broke the crippled demo version because they would have had to pay for a full version and that is definitely something they won't do. IOW, don't do unlockable trial versions. Won't protect since it's free to get the full version and refund before 24h They could have done that with my full versions too but they didn't . E-sellers will tell you that they have to refund with signature on file sales. However the pirates might suspect that doing so leaves a paper trail they don't want even with the Android Market. The best you can do is slow them down and the honest folks will always pay for your apps. The others? Let their karma catch up with them. It will eventually. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
What didn't you understand in my last reply? It is trivial unless I have misunderstood something. I guess you got unit tests? Now take the code below. Replace the download/decrypt code in your unit tests with something like what I posted previously: Properties license = new Properties(); license.put(p, TelephonyMgr.getLine1Number()); license.put(d, Settings.System.getString(getContentResolver(), Settings.System.ANDROID_ID); license.put(e, aDateInTheFuture); Then run your unit tests again. Downloading won't fail since we have _replaced_ the download code, and no decryption would fail, since we aren't decrypting anything. We replaced that code as well. You don't even need to find all license check snippets that the developer has springled his code with, since they all will check against our valid license that we created above. I really can't believe that you don't see this. Please tell me in what way it fails given my description above. On 23 Juli, 23:07, Al Sutton a...@funkyandroid.com wrote: We're going to update the page, but we'd kind of assumed it was an obvious thing to check. As for your latest idea, the download code downloads an encrypted file so an error would be thrown during decryption which would show up problmes with a spoof server or modified download code. I think you get my point. You may think it's trivial to circumvent, but when you get down to it there are various things we've done to make it a lot trickier than an initial inspection would make you believe, which is why you've still not come up with a reproducable system for cracking it. Even if you did crack a version of an application, the steps you took wouldn't be easily reproduced for other applications and even other versions of the application if the developer moved the decryption/test code around. Al. On Jul 23, 5:54 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Shouldn't the code on the page say that in that case, and it's still very easy to spoof. Replace the code that downloads the certificate and encrypts it with code that does this: Properties license = new Properties(); license.put(p, TelephonyMgr.getLine1Number()); license.put(d, Settings.System.getString(getContentResolver(), Settings.System.ANDROID_ID); license.put(e, aDateInTheFuture); .. .. and so on. I think you get the point. We have enabled all settings. Remember I'm not a hacker/cracker and I have already shown you that it's very easy to crack your system. You aren't protecting the code. Applications will still be pirated very easy, and it's even possible to write an application that does it automatically. Users of the applications will also be very frustrated if they for some reason can't contact your license servers, so the value that you are adding is about zero. On Jul 23, 5:38 pm, Al Sutton a...@funkyandroid.com wrote: And doing what you say should cause the application to operate as if no license is present (i.e. demo mode). The demo code is to cover all bases for all types of license where the properties in the license are unknown. If you know that you'll be using a specific license property your app should enter demo mode if that property isn't present. Al. On Jul 23, 1:45 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Sorry to say, but there's a huge flaw in your examples. The snippet below is taken from your link: X509EncodedKeySpec keySpec = new X509EncodedKeySpec (ANDAPPSTORE_APP_KEY); KeyFactory factory = KeyFactory.getInstance(RSA); PublicKey key = factory.generatePublic(keySpec); Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding); cipher.init(Cipher.DECRYPT_MODE, key); byte[] original = cipher.doFinal(LICENSE); Properties props = new Properties(); props.clear(); ByteArrayInputStream bis = new ByteArrayInputStream(original); try { props.load(bis); } finally { bis.close(); } Very few classes are using using e.g X509EncodedKeySpec, so it's very easy to find all classes that are using it, and it's thus very easy to find that section of code. Now replace all operands in the class file with no operation instead, except this part: Properties props = new Properties(); I.e. we are creating an empty license. Now read all your other code snippets with this in mind. E.g. 4(c)(i). Testing the phone number String licensePhoneNumber = license.getProperty(p); if( licensePhoneNumber != null ) { //Uh, uh. An empty license returns null, we won't do any checks. TelephonyManager TelephonyMgr = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE); String devicePhoneNumber = TelephonyMgr.getLine1Number(); if(licensePhoneNumber.equals(devicePhoneNumber) == false) { throw new RuntimeException(** Phone Number Check Failed **); } } Remember that license now is an empty instance
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
The confusion arose because your previous post said Replace the code that downloads the certificate and encrypts it, in this post you're talking about the download/decrypt code, the first is a combination of client code (download) and server code (encryption), the latter is client-only code. Referring to the download/decrypt replacement, the problem here is the amount of time it would take to find where the download/decrypt code resides in a compiled app, replace it, and recompile it. If you had the original source code then yes, you could do a drop in replacement, but if you had the source code you could easily strip out any protection mechanism. Seriously, try it on a compiled application, you'll find it takes you a lot longer than you think, and longer than many crackers would be willing to spend on a low-cost app. Al. On Jul 24, 8:02 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: What didn't you understand in my last reply? It is trivial unless I have misunderstood something. I guess you got unit tests? Now take the code below. Replace the download/decrypt code in your unit tests with something like what I posted previously: Properties license = new Properties(); license.put(p, TelephonyMgr.getLine1Number()); license.put(d, Settings.System.getString(getContentResolver(), Settings.System.ANDROID_ID); license.put(e, aDateInTheFuture); Then run your unit tests again. Downloading won't fail since we have _replaced_ the download code, and no decryption would fail, since we aren't decrypting anything. We replaced that code as well. You don't even need to find all license check snippets that the developer has springled his code with, since they all will check against our valid license that we created above. I really can't believe that you don't see this. Please tell me in what way it fails given my description above. On 23 Juli, 23:07, Al Sutton a...@funkyandroid.com wrote: We're going to update the page, but we'd kind of assumed it was an obvious thing to check. As for your latest idea, the download code downloads an encrypted file so an error would be thrown during decryption which would show up problmes with a spoof server or modified download code. I think you get my point. You may think it's trivial to circumvent, but when you get down to it there are various things we've done to make it a lot trickier than an initial inspection would make you believe, which is why you've still not come up with a reproducable system for cracking it. Even if you did crack a version of an application, the steps you took wouldn't be easily reproduced for other applications and even other versions of the application if the developer moved the decryption/test code around. Al. On Jul 23, 5:54 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Shouldn't the code on the page say that in that case, and it's still very easy to spoof. Replace the code that downloads the certificate and encrypts it with code that does this: Properties license = new Properties(); license.put(p, TelephonyMgr.getLine1Number()); license.put(d, Settings.System.getString(getContentResolver(), Settings.System.ANDROID_ID); license.put(e, aDateInTheFuture); .. .. and so on. I think you get the point. We have enabled all settings. Remember I'm not a hacker/cracker and I have already shown you that it's very easy to crack your system. You aren't protecting the code. Applications will still be pirated very easy, and it's even possible to write an application that does it automatically. Users of the applications will also be very frustrated if they for some reason can't contact your license servers, so the value that you are adding is about zero. On Jul 23, 5:38 pm, Al Sutton a...@funkyandroid.com wrote: And doing what you say should cause the application to operate as if no license is present (i.e. demo mode). The demo code is to cover all bases for all types of license where the properties in the license are unknown. If you know that you'll be using a specific license property your app should enter demo mode if that property isn't present. Al. On Jul 23, 1:45 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Sorry to say, but there's a huge flaw in your examples. The snippet below is taken from your link: X509EncodedKeySpec keySpec = new X509EncodedKeySpec (ANDAPPSTORE_APP_KEY); KeyFactory factory = KeyFactory.getInstance(RSA); PublicKey key = factory.generatePublic(keySpec); Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding); cipher.init(Cipher.DECRYPT_MODE, key); byte[] original = cipher.doFinal(LICENSE); Properties props = new Properties(); props.clear(); ByteArrayInputStream bis = new ByteArrayInputStream(original); try { props.load(bis); } finally { bis.close(); } Very few classes are using using e.g
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
As I said previously. I have tried to protected java applications, and I have done what I described with pure java applications, without having the source code (I have even done it in assembler/machine code on non java applications). I don't know much about the dex format and what tools that are available to modify compiled classes, but it's only a matter of time before they are here, if they don't exist right now. Crackers don't think about if a program is expensive or not. They only want to get known for their talents, and they crack all popular applications, even if they are almost for free. So all popular applications get cracked, regardless of price, and time isn't an issue for the cracker. He doesn't think in economical terms. On 24 Juli, 10:44, Al Sutton a...@funkyandroid.com wrote: The confusion arose because your previous post said Replace the code that downloads the certificate and encrypts it, in this post you're talking about the download/decrypt code, the first is a combination of client code (download) and server code (encryption), the latter is client-only code. Referring to the download/decrypt replacement, the problem here is the amount of time it would take to find where the download/decrypt code resides in a compiled app, replace it, and recompile it. If you had the original source code then yes, you could do a drop in replacement, but if you had the source code you could easily strip out any protection mechanism. Seriously, try it on a compiled application, you'll find it takes you a lot longer than you think, and longer than many crackers would be willing to spend on a low-cost app. Al. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
And as I've said before they would need to do a crack per app and potentially per version of the app if the developer so desired. Its' a technique I've used for several years on various applications and I've always offered up the source code so people see for themselves it's not a trivial thing to crack. Anyway, we're getting way off topic, so unless you're actually going to try and do what you think is possible I can't see any benefit in continuing this discussion, because from what you're saying you're putting across an opinion that a task is relatively trivial without any knowlege of the tools needed to do the job or having ever tried to do it. Al. On Jul 24, 12:01 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: As I said previously. I have tried to protected java applications, and I have done what I described with pure java applications, without having the source code (I have even done it in assembler/machine code on non java applications). I don't know much about the dex format and what tools that are available to modify compiled classes, but it's only a matter of time before they are here, if they don't exist right now. Crackers don't think about if a program is expensive or not. They only want to get known for their talents, and they crack all popular applications, even if they are almost for free. So all popular applications get cracked, regardless of price, and time isn't an issue for the cracker. He doesn't think in economical terms. On 24 Juli, 10:44, Al Sutton a...@funkyandroid.com wrote: The confusion arose because your previous post said Replace the code that downloads the certificate and encrypts it, in this post you're talking about the download/decrypt code, the first is a combination of client code (download) and server code (encryption), the latter is client-only code. Referring to the download/decrypt replacement, the problem here is the amount of time it would take to find where the download/decrypt code resides in a compiled app, replace it, and recompile it. If you had the original source code then yes, you could do a drop in replacement, but if you had the source code you could easily strip out any protection mechanism. Seriously, try it on a compiled application, you'll find it takes you a lot longer than you think, and longer than many crackers would be willing to spend on a low-cost app. Al. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
On Jul 24, 6:01 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: Crackers don't think about if a program is expensive or not. They only want to get known for their talents, and they crack all popular applications, even if they are almost for free. So all popular applications get cracked, regardless of price, and time isn't an issue for the cracker. He doesn't think in economical terms. This is exactly why it is a waste of time for developers to focus too much on preventing piracy when there is no proof that the piracy rate is higher than that of the general rate. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Just FYI, Jesusfreke has posted a dex [de]compiler set: http://jf.andblogs.net/ (Smali and baksmali). So there are already tools to do that (and Al, if you want to put up a bounty for a simple/repeatable hack, that'd go a lot farther than handwaving. Everyone else, if you want to claim that bounty, that'd go a lot..etc :) ..) On Fri, Jul 24, 2009 at 7:01 AM, Kaj Bjurman kaj.bjur...@gmail.com wrote: As I said previously. I have tried to protected java applications, and I have done what I described with pure java applications, without having the source code (I have even done it in assembler/machine code on non java applications). I don't know much about the dex format and what tools that are available to modify compiled classes, but it's only a matter of time before they are here, if they don't exist right now. Crackers don't think about if a program is expensive or not. They only want to get known for their talents, and they crack all popular applications, even if they are almost for free. So all popular applications get cracked, regardless of price, and time isn't an issue for the cracker. He doesn't think in economical terms. On 24 Juli, 10:44, Al Sutton a...@funkyandroid.com wrote: The confusion arose because your previous post said Replace the code that downloads the certificate and encrypts it, in this post you're talking about the download/decrypt code, the first is a combination of client code (download) and server code (encryption), the latter is client-only code. Referring to the download/decrypt replacement, the problem here is the amount of time it would take to find where the download/decrypt code resides in a compiled app, replace it, and recompile it. If you had the original source code then yes, you could do a drop in replacement, but if you had the source code you could easily strip out any protection mechanism. Seriously, try it on a compiled application, you'll find it takes you a lot longer than you think, and longer than many crackers would be willing to spend on a low-cost app. Al. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
As AndAppStore doesn't make a profit there's little I can offer in the way of a prize, but if you want to create a simple/repeatable hack to shut me up you're more than welcome. Al. On Jul 24, 4:10 pm, Disconnect dc.disconn...@gmail.com wrote: Just FYI, Jesusfreke has posted a dex [de]compiler set:http://jf.andblogs.net/(Smali and baksmali). So there are already tools to do that (and Al, if you want to put up a bounty for a simple/repeatable hack, that'd go a lot farther than handwaving. Everyone else, if you want to claim that bounty, that'd go a lot..etc :) ..) On Fri, Jul 24, 2009 at 7:01 AM, Kaj Bjurman kaj.bjur...@gmail.com wrote: As I said previously. I have tried to protected java applications, and I have done what I described with pure java applications, without having the source code (I have even done it in assembler/machine code on non java applications). I don't know much about the dex format and what tools that are available to modify compiled classes, but it's only a matter of time before they are here, if they don't exist right now. Crackers don't think about if a program is expensive or not. They only want to get known for their talents, and they crack all popular applications, even if they are almost for free. So all popular applications get cracked, regardless of price, and time isn't an issue for the cracker. He doesn't think in economical terms. On 24 Juli, 10:44, Al Sutton a...@funkyandroid.com wrote: The confusion arose because your previous post said Replace the code that downloads the certificate and encrypts it, in this post you're talking about the download/decrypt code, the first is a combination of client code (download) and server code (encryption), the latter is client-only code. Referring to the download/decrypt replacement, the problem here is the amount of time it would take to find where the download/decrypt code resides in a compiled app, replace it, and recompile it. If you had the original source code then yes, you could do a drop in replacement, but if you had the source code you could easily strip out any protection mechanism. Seriously, try it on a compiled application, you'll find it takes you a lot longer than you think, and longer than many crackers would be willing to spend on a low-cost app. Al. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Al Sutton wrote: As AndAppStore doesn't make a profit there's little I can offer in the way of a prize, but if you want to create a simple/repeatable hack to shut me up you're more than welcome. Clearly, therefore, we need a bounty to raise a bounty for the simple/repeatable hack... *ducks rotten tomatoes thrown in my direction* -- Mark Murphy (a Commons Guy) http://commonsware.com | http://twitter.com/commonsguy _Beginning Android_ from Apress Now Available! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I will offer a bounty of 5 UK pounds if you can raise me a bounty of 1000 UK pounds :). (don't worry, I'm leaving the stage already) Al. On Jul 24, 6:49 pm, Mark Murphy mmur...@commonsware.com wrote: Al Sutton wrote: As AndAppStore doesn't make a profit there's little I can offer in the way of a prize, but if you want to create a simple/repeatable hack to shut me up you're more than welcome. Clearly, therefore, we need a bounty to raise a bounty for the simple/repeatable hack... *ducks rotten tomatoes thrown in my direction* -- Mark Murphy (a Commons Guy)http://commonsware.com|http://twitter.com/commonsguy _Beginning Android_ from Apress Now Available! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Ed wrote: On Jul 24, 6:01 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: Crackers don't think about if a program is expensive or not. They only want to get known for their talents, and they crack all popular applications, even if they are almost for free. So all popular applications get cracked, regardless of price, and time isn't an issue for the cracker. He doesn't think in economical terms. This is exactly why it is a waste of time for developers to focus too much on preventing piracy when there is no proof that the piracy rate is higher than that of the general rate. I've had unlockable trial versions of software and versions which were crippled demos. The crackers eventually broke or created keygens for the unlockable versions. But they never broke the crippled demo version because they would have had to pay for a full version and that is definitely something they won't do. IOW, don't do unlockable trial versions. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
On Sat, Jul 25, 2009 at 00:41, Brian Conradbrianjto...@gmail.com wrote: I've had unlockable trial versions of software and versions which were crippled demos. The crackers eventually broke or created keygens for the unlockable versions. But they never broke the crippled demo version because they would have had to pay for a full version and that is definitely something they won't do. IOW, don't do unlockable trial versions. Won't protect since it's free to get the full version and refund before 24h --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I have implemented a buy on Android Market to donate system. My application is available for free on XDA Developers as an APK. Many people take the plunge and make the 99 cent purchase because they were pleased with the APK download I provided. In my opinion, this is the best way to distribute software. It curbs piracy (which is inevitable anyway) while allowing my downloaders to know they can buy the application to support the project. On Jul 22, 9:30 am, Moto medicalsou...@gmail.com wrote: Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... So I want the help from all developers, we need to come up with something to make this at least harder to distribute. 1. Can we use phone numbers to register the application? And if illegally installed we got a phone number to use so pursue the pirate...? 2. Do we have access to the phones unique ID? This could be used to track who is using the application... How many illegal copies are runnning... There are ideas I have but will just go against the user friendliness ways of Android Please provide your ideas... thanks! -Moto! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Any DRM should be programmed in the NDK - Dalvik bytecode is too easy to modify when disassembled. On Jul 22, 9:30 am, Moto medicalsou...@gmail.com wrote: Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... So I want the help from all developers, we need to come up with something to make this at least harder to distribute. 1. Can we use phone numbers to register the application? And if illegally installed we got a phone number to use so pursue the pirate...? 2. Do we have access to the phones unique ID? This could be used to track who is using the application... How many illegal copies are runnning... There are ideas I have but will just go against the user friendliness ways of Android Please provide your ideas... thanks! -Moto! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
How can you guys even use the term software piracy and propose the dead on arrival DRM and use Linux as a platform? it's because of people like you that the industry is driven by crappy corporations. Shame on you. Go and develop something on Windows CE or the iPhone. On Sat, Jul 25, 2009 at 10:07 PM, coolbho3k mike.g.hu...@gmail.com wrote: Any DRM should be programmed in the NDK - Dalvik bytecode is too easy to modify when disassembled. On Jul 22, 9:30 am, Moto medicalsou...@gmail.com wrote: Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... So I want the help from all developers, we need to come up with something to make this at least harder to distribute. 1. Can we use phone numbers to register the application? And if illegally installed we got a phone number to use so pursue the pirate...? 2. Do we have access to the phones unique ID? This could be used to track who is using the application... How many illegal copies are runnning... There are ideas I have but will just go against the user friendliness ways of Android Please provide your ideas... thanks! -Moto! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Case 2 doesn't hold. It's still a bit of security by obscurity. There are several ways to remove what you describe. One way would be to run the program in the emulator/debugger and see where it fails. Then check what that method does and correct the logic. Run it again in the emulator to see if it still fails, then patch the next place. This is usually how programs written in other languages are cracked. (E.g. written i C/C++). Cracking in those cases is usually done in a debugger for assembler. What I described in the scenario above is where they aren't using any code from you. I don't know what your code look like, or what it does. But I still guess that you have classes that others can use. It's in that case pretty easy to stub those classes out, and cracking all programs in your market would in that case mean that they just have to find out how your protection works, stub out code from you, and then apply it to all programs. Note that I'm not a hacker/cracker, but I'm curious, and I have myself tried to protect programs. On 22 Juli, 19:58, Al Sutton a...@funkyandroid.com wrote: That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a single library which can be stripped out and replaced with an always return true version. 3) Detect spoof servers because a spoof server will be unable to return a properly encrypted file and thus developers can detect decryption errors and mark them as spoofing attempts. Al. On Jul 22, 6:50 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01 pm, Micah mi...@ourmailbox.net wrote: The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I am the developer of a fairly successfull application for Android. My solution to the piracy-problem was: Give away applications for free, and instead insert ads from (-- your favorite Ad network here --). So far it has paid off okay, I think I get more from the ads than I would have selling apps for $1. I know, not a viable solution for all apps (expensive ones, apps that work offline, etc). But for a small developer like me, it was the simple solution. If people download my apps from forums it actually means more revenue. :-) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
On Jul 22, 10:47 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Well said. Piracy will always exist. Our task, as a developer, is to create something that is so good so that people want to pay for it. I think this make the point. We should expect people really feel it's worthy. As for now, I didn't see any software can not be cracked, and almost all hardware(except PS3) lol --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
We don't provice jars specifically for this reason. The code to decode a license is less than 15 lines long and uses standard java classes (i.e. nothing specific to the system or even to Android). The code to test license properties is less than 10 lines and again uses only java classes. You can see the code at http://andappstore.com/AndroidApplications/licensing_4.jsp This means that each application would need to go through a full track, crack, and re-compile cycle (which as others have said is non- trivial and takes a fair amount of time), and developers are free to move the decrypt/test code around between versions of their app which would then require another full track, crack, and re-compile cycle before the new version could be made available, which, for a 99c app, is not going to be worth the effort for most crackers. This part is security by obscurity but it's layered in with secure cryptography in the license as an addition measure to make cracking harder than if we distributed pre-build jars which a cracker could swap out. Al. On Jul 23, 7:24 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: Case 2 doesn't hold. It's still a bit of security by obscurity. There are several ways to remove what you describe. One way would be to run the program in the emulator/debugger and see where it fails. Then check what that method does and correct the logic. Run it again in the emulator to see if it still fails, then patch the next place. This is usually how programs written in other languages are cracked. (E.g. written i C/C++). Cracking in those cases is usually done in a debugger for assembler. What I described in the scenario above is where they aren't using any code from you. I don't know what your code look like, or what it does. But I still guess that you have classes that others can use. It's in that case pretty easy to stub those classes out, and cracking all programs in your market would in that case mean that they just have to find out how your protection works, stub out code from you, and then apply it to all programs. Note that I'm not a hacker/cracker, but I'm curious, and I have myself tried to protect programs. On 22 Juli, 19:58, Al Sutton a...@funkyandroid.com wrote: That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a single library which can be stripped out and replaced with an always return true version. 3) Detect spoof servers because a spoof server will be unable to return a properly encrypted file and thus developers can detect decryption errors and mark them as spoofing attempts. Al. On Jul 22, 6:50 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01 pm, Micah mi...@ourmailbox.net wrote: The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Sorry to say, but there's a huge flaw in your examples. The snippet below is taken from your link: X509EncodedKeySpec keySpec = new X509EncodedKeySpec (ANDAPPSTORE_APP_KEY); KeyFactory factory = KeyFactory.getInstance(RSA); PublicKey key = factory.generatePublic(keySpec); Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding); cipher.init(Cipher.DECRYPT_MODE, key); byte[] original = cipher.doFinal(LICENSE); Properties props = new Properties(); props.clear(); ByteArrayInputStream bis = new ByteArrayInputStream(original); try { props.load(bis); } finally { bis.close(); } Very few classes are using using e.g X509EncodedKeySpec, so it's very easy to find all classes that are using it, and it's thus very easy to find that section of code. Now replace all operands in the class file with no operation instead, except this part: Properties props = new Properties(); I.e. we are creating an empty license. Now read all your other code snippets with this in mind. E.g. 4(c)(i). Testing the phone number String licensePhoneNumber = license.getProperty(p); if( licensePhoneNumber != null ) { //Uh, uh. An empty license returns null, we won't do any checks. TelephonyManager TelephonyMgr = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE); String devicePhoneNumber = TelephonyMgr.getLine1Number(); if(licensePhoneNumber.equals(devicePhoneNumber) == false) { throw new RuntimeException(** Phone Number Check Failed **); } } Remember that license now is an empty instance of Properties. The code above will say that it is a valid license, and so will all of your other tests as well. On 23 Juli, 12:11, Al Sutton a...@funkyandroid.com wrote: We don't provice jars specifically for this reason. The code to decode a license is less than 15 lines long and uses standard java classes (i.e. nothing specific to the system or even to Android). The code to test license properties is less than 10 lines and again uses only java classes. You can see the code athttp://andappstore.com/AndroidApplications/licensing_4.jsp This means that each application would need to go through a full track, crack, and re-compile cycle (which as others have said is non- trivial and takes a fair amount of time), and developers are free to move the decrypt/test code around between versions of their app which would then require another full track, crack, and re-compile cycle before the new version could be made available, which, for a 99c app, is not going to be worth the effort for most crackers. This part is security by obscurity but it's layered in with secure cryptography in the license as an addition measure to make cracking harder than if we distributed pre-build jars which a cracker could swap out. Al. On Jul 23, 7:24 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: Case 2 doesn't hold. It's still a bit of security by obscurity. There are several ways to remove what you describe. One way would be to run the program in the emulator/debugger and see where it fails. Then check what that method does and correct the logic. Run it again in the emulator to see if it still fails, then patch the next place. This is usually how programs written in other languages are cracked. (E.g. written i C/C++). Cracking in those cases is usually done in a debugger for assembler. What I described in the scenario above is where they aren't using any code from you. I don't know what your code look like, or what it does. But I still guess that you have classes that others can use. It's in that case pretty easy to stub those classes out, and cracking all programs in your market would in that case mean that they just have to find out how your protection works, stub out code from you, and then apply it to all programs. Note that I'm not a hacker/cracker, but I'm curious, and I have myself tried to protect programs. On 22 Juli, 19:58, Al Sutton a...@funkyandroid.com wrote: That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a single library which can be stripped out and replaced with an always return true version. 3) Detect spoof servers because a spoof server will be unable to return a properly encrypted file and thus developers can detect decryption errors and mark them as spoofing attempts. Al. On Jul 22, 6:50 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Is the rate of piracy on Android significantly different from that of any other platform? I would guess not--it might even be less. In other words, don't spend countless hours and dollars chasing a goal that has been already proven many times over to be unattainable. Doing so would impact a developer's potential profits. The solution to go free with ads is a good one, and using something like a prebuilt solution at the andapp store is great too. Think too much about it, and you WILL have lost time and money. --Ed --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
On Thu, Jul 23, 2009 at 3:07 PM, Ededmundcl...@gmail.com wrote: Is the rate of piracy on Android significantly different from that of any other platform? I'd guess otherwise: with the paid Market only available in a few countries, others will have to resort to using the MarketEnabler (as I did) or to piracy. The latter is cheaper and easier, works even without rooting, and is permanent for sure. Zsolt --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Good point about the Market in other countries. However, I was not only referring to cell phones, but all platforms and software in general. My wild guess that Android software is less pirated is simply because of the installed base. Since there are so many more users of other platforms and devices, Android pirate sites are less appealing and less likely to pop up. (As opposed to iPhone, for example.) This makes tracking of piracy a bit easier, and perhaps enforcement as well. On Jul 23, 8:16 am, Zsolt Váradi karma...@gmail.com wrote: On Thu, Jul 23, 2009 at 3:07 PM, Ededmundcl...@gmail.com wrote: Is the rate of piracy on Android significantly different from that of any other platform? I'd guess otherwise: with the paid Market only available in a few countries, others will have to resort to using the MarketEnabler (as I did) or to piracy. The latter is cheaper and easier, works even without rooting, and is permanent for sure. Zsolt --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
In fact, using the pirating site listed previously as an example, here is what I found for each cell phone platform: Symbian OS9: 39 pages of apps, 24 pages of games Symbian OS6-8: 41 pages of apps, 34 pages of games Nokia S40: 9 pages total of apps and games PocketPC/Palm: 19 pages of apps, 7 pages of games SonyEricsson: 16 pages total of apps and games Symbian UIQ: 7 pages of apps, 2 pages of games iPhone: 7 pages total of apps and games Android: 2 pages total of apps and games --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
It seems there is a very simple answer to piracy on this platform anyway. If the market would keep a record of the device ID's that purchased the app, it would be extremely easy to tell (via a server based solution) which installations are valid and which are not. Then again, what do I know? -John Coryat On Jul 23, 9:51 am, Ed edmundcl...@gmail.com wrote: In fact, using the pirating site listed previously as an example, here is what I found for each cell phone platform: Symbian OS9: 39 pages of apps, 24 pages of games Symbian OS6-8: 41 pages of apps, 34 pages of games Nokia S40: 9 pages total of apps and games PocketPC/Palm: 19 pages of apps, 7 pages of games SonyEricsson: 16 pages total of apps and games Symbian UIQ: 7 pages of apps, 2 pages of games iPhone: 7 pages total of apps and games Android: 2 pages total of apps and games --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
And doing what you say should cause the application to operate as if no license is present (i.e. demo mode). The demo code is to cover all bases for all types of license where the properties in the license are unknown. If you know that you'll be using a specific license property your app should enter demo mode if that property isn't present. Al. On Jul 23, 1:45 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Sorry to say, but there's a huge flaw in your examples. The snippet below is taken from your link: X509EncodedKeySpec keySpec = new X509EncodedKeySpec (ANDAPPSTORE_APP_KEY); KeyFactory factory = KeyFactory.getInstance(RSA); PublicKey key = factory.generatePublic(keySpec); Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding); cipher.init(Cipher.DECRYPT_MODE, key); byte[] original = cipher.doFinal(LICENSE); Properties props = new Properties(); props.clear(); ByteArrayInputStream bis = new ByteArrayInputStream(original); try { props.load(bis); } finally { bis.close(); } Very few classes are using using e.g X509EncodedKeySpec, so it's very easy to find all classes that are using it, and it's thus very easy to find that section of code. Now replace all operands in the class file with no operation instead, except this part: Properties props = new Properties(); I.e. we are creating an empty license. Now read all your other code snippets with this in mind. E.g. 4(c)(i). Testing the phone number String licensePhoneNumber = license.getProperty(p); if( licensePhoneNumber != null ) { //Uh, uh. An empty license returns null, we won't do any checks. TelephonyManager TelephonyMgr = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE); String devicePhoneNumber = TelephonyMgr.getLine1Number(); if(licensePhoneNumber.equals(devicePhoneNumber) == false) { throw new RuntimeException(** Phone Number Check Failed **); } } Remember that license now is an empty instance of Properties. The code above will say that it is a valid license, and so will all of your other tests as well. On 23 Juli, 12:11, Al Sutton a...@funkyandroid.com wrote: We don't provice jars specifically for this reason. The code to decode a license is less than 15 lines long and uses standard java classes (i.e. nothing specific to the system or even to Android). The code to test license properties is less than 10 lines and again uses only java classes. You can see the code athttp://andappstore.com/AndroidApplications/licensing_4.jsp This means that each application would need to go through a full track, crack, and re-compile cycle (which as others have said is non- trivial and takes a fair amount of time), and developers are free to move the decrypt/test code around between versions of their app which would then require another full track, crack, and re-compile cycle before the new version could be made available, which, for a 99c app, is not going to be worth the effort for most crackers. This part is security by obscurity but it's layered in with secure cryptography in the license as an addition measure to make cracking harder than if we distributed pre-build jars which a cracker could swap out. Al. On Jul 23, 7:24 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: Case 2 doesn't hold. It's still a bit of security by obscurity. There are several ways to remove what you describe. One way would be to run the program in the emulator/debugger and see where it fails. Then check what that method does and correct the logic. Run it again in the emulator to see if it still fails, then patch the next place. This is usually how programs written in other languages are cracked. (E.g. written i C/C++). Cracking in those cases is usually done in a debugger for assembler. What I described in the scenario above is where they aren't using any code from you. I don't know what your code look like, or what it does. But I still guess that you have classes that others can use. It's in that case pretty easy to stub those classes out, and cracking all programs in your market would in that case mean that they just have to find out how your protection works, stub out code from you, and then apply it to all programs. Note that I'm not a hacker/cracker, but I'm curious, and I have myself tried to protect programs. On 22 Juli, 19:58, Al Sutton a...@funkyandroid.com wrote: That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
This is actually one of the forums which honored my request to remove my app from offered to download. However, i see that some now post links from other sites on this forum (instead of hosting the apks on ip-forum itself) to download my, and many other, apps. On Jul 23, 12:01 am, NitroDesk gsuku...@gmail.com wrote: There is a parallel world out there where it is ok to distribute applications that we all have shed sweat and blood to build see here :http://www.ipmart-forum.com/archive/index.php/t-337082.html Can't stop them, like someone pointed out earlier; not sure the creators of Android would ever care, since an underworld like this will only increase ad revenues as well as device penetration. The only ones who may be hurt would be small app developers. You can either put up and hope that your revenues come from people who play by rules, and hope that some amount of piracy would actually help make your software popular. -g On Jul 22, 10:58 am, Al Sutton a...@funkyandroid.com wrote: That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a single library which can be stripped out and replaced with an always return true version. 3) Detect spoof servers because a spoof server will be unable to return a properly encrypted file and thus developers can detect decryption errors and mark them as spoofing attempts. Al. On Jul 22, 6:50 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01 pm, Micah mi...@ourmailbox.net wrote: The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona- Hide quoted text - - Show quoted text -- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Shouldn't the code on the page say that in that case, and it's still very easy to spoof. Replace the code that downloads the certificate and encrypts it with code that does this: Properties license = new Properties(); license.put(p, TelephonyMgr.getLine1Number()); license.put(d, Settings.System.getString(getContentResolver(), Settings.System.ANDROID_ID); license.put(e, aDateInTheFuture); .. .. and so on. I think you get the point. We have enabled all settings. Remember I'm not a hacker/cracker and I have already shown you that it's very easy to crack your system. You aren't protecting the code. Applications will still be pirated very easy, and it's even possible to write an application that does it automatically. Users of the applications will also be very frustrated if they for some reason can't contact your license servers, so the value that you are adding is about zero. On Jul 23, 5:38 pm, Al Sutton a...@funkyandroid.com wrote: And doing what you say should cause the application to operate as if no license is present (i.e. demo mode). The demo code is to cover all bases for all types of license where the properties in the license are unknown. If you know that you'll be using a specific license property your app should enter demo mode if that property isn't present. Al. On Jul 23, 1:45 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Sorry to say, but there's a huge flaw in your examples. The snippet below is taken from your link: X509EncodedKeySpec keySpec = new X509EncodedKeySpec (ANDAPPSTORE_APP_KEY); KeyFactory factory = KeyFactory.getInstance(RSA); PublicKey key = factory.generatePublic(keySpec); Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding); cipher.init(Cipher.DECRYPT_MODE, key); byte[] original = cipher.doFinal(LICENSE); Properties props = new Properties(); props.clear(); ByteArrayInputStream bis = new ByteArrayInputStream(original); try { props.load(bis); } finally { bis.close(); } Very few classes are using using e.g X509EncodedKeySpec, so it's very easy to find all classes that are using it, and it's thus very easy to find that section of code. Now replace all operands in the class file with no operation instead, except this part: Properties props = new Properties(); I.e. we are creating an empty license. Now read all your other code snippets with this in mind. E.g. 4(c)(i). Testing the phone number String licensePhoneNumber = license.getProperty(p); if( licensePhoneNumber != null ) { //Uh, uh. An empty license returns null, we won't do any checks. TelephonyManager TelephonyMgr = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE); String devicePhoneNumber = TelephonyMgr.getLine1Number(); if(licensePhoneNumber.equals(devicePhoneNumber) == false) { throw new RuntimeException(** Phone Number Check Failed **); } } Remember that license now is an empty instance of Properties. The code above will say that it is a valid license, and so will all of your other tests as well. On 23 Juli, 12:11, Al Sutton a...@funkyandroid.com wrote: We don't provice jars specifically for this reason. The code to decode a license is less than 15 lines long and uses standard java classes (i.e. nothing specific to the system or even to Android). The code to test license properties is less than 10 lines and again uses only java classes. You can see the code athttp://andappstore.com/AndroidApplications/licensing_4.jsp This means that each application would need to go through a full track, crack, and re-compile cycle (which as others have said is non- trivial and takes a fair amount of time), and developers are free to move the decrypt/test code around between versions of their app which would then require another full track, crack, and re-compile cycle before the new version could be made available, which, for a 99c app, is not going to be worth the effort for most crackers. This part is security by obscurity but it's layered in with secure cryptography in the license as an addition measure to make cracking harder than if we distributed pre-build jars which a cracker could swap out. Al. On Jul 23, 7:24 am, Kaj Bjurman kaj.bjur...@gmail.com wrote: Case 2 doesn't hold. It's still a bit of security by obscurity. There are several ways to remove what you describe. One way would be to run the program in the emulator/debugger and see where it fails. Then check what that method does and correct the logic. Run it again in the emulator to see if it still fails, then patch the next place. This is usually how programs written in other languages are cracked. (E.g. written i C/C++). Cracking in those cases is usually done in a debugger for assembler. What I described in the scenario above is where they aren't using any code from you. I don't know what your code look
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I'm new to this whole thing about being a developer but, if you think making your app hack safe and, your app's are not going to lose you your user base. Then say a hello to the new world order of android. Stop bitching and think of it as contributing to your community. I don't steel but I don't look a gift horse in the mouth either so shut up and programme like your told and stop helping to force the world in to a new world police globe or pay the hundred and move to iphone. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
The only safe app is one that has a service connected to it. So if you are that much in a Tiff about it have a free or charged dummy or real service connected to your app and host that service too. ix3.com has hosting for 12 dollars a year stop the excuses and blaming. god I hate whiners people really do want a closed sourced copyrighted to hell DRM useless universe don't they --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
We're going to update the page, but we'd kind of assumed it was an obvious thing to check. As for your latest idea, the download code downloads an encrypted file so an error would be thrown during decryption which would show up problmes with a spoof server or modified download code. I think you get my point. You may think it's trivial to circumvent, but when you get down to it there are various things we've done to make it a lot trickier than an initial inspection would make you believe, which is why you've still not come up with a reproducable system for cracking it. Even if you did crack a version of an application, the steps you took wouldn't be easily reproduced for other applications and even other versions of the application if the developer moved the decryption/test code around. Al. On Jul 23, 5:54 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Shouldn't the code on the page say that in that case, and it's still very easy to spoof. Replace the code that downloads the certificate and encrypts it with code that does this: Properties license = new Properties(); license.put(p, TelephonyMgr.getLine1Number()); license.put(d, Settings.System.getString(getContentResolver(), Settings.System.ANDROID_ID); license.put(e, aDateInTheFuture); .. .. and so on. I think you get the point. We have enabled all settings. Remember I'm not a hacker/cracker and I have already shown you that it's very easy to crack your system. You aren't protecting the code. Applications will still be pirated very easy, and it's even possible to write an application that does it automatically. Users of the applications will also be very frustrated if they for some reason can't contact your license servers, so the value that you are adding is about zero. On Jul 23, 5:38 pm, Al Sutton a...@funkyandroid.com wrote: And doing what you say should cause the application to operate as if no license is present (i.e. demo mode). The demo code is to cover all bases for all types of license where the properties in the license are unknown. If you know that you'll be using a specific license property your app should enter demo mode if that property isn't present. Al. On Jul 23, 1:45 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Sorry to say, but there's a huge flaw in your examples. The snippet below is taken from your link: X509EncodedKeySpec keySpec = new X509EncodedKeySpec (ANDAPPSTORE_APP_KEY); KeyFactory factory = KeyFactory.getInstance(RSA); PublicKey key = factory.generatePublic(keySpec); Cipher cipher = Cipher.getInstance(RSA/ECB/PKCS1Padding); cipher.init(Cipher.DECRYPT_MODE, key); byte[] original = cipher.doFinal(LICENSE); Properties props = new Properties(); props.clear(); ByteArrayInputStream bis = new ByteArrayInputStream(original); try { props.load(bis); } finally { bis.close(); } Very few classes are using using e.g X509EncodedKeySpec, so it's very easy to find all classes that are using it, and it's thus very easy to find that section of code. Now replace all operands in the class file with no operation instead, except this part: Properties props = new Properties(); I.e. we are creating an empty license. Now read all your other code snippets with this in mind. E.g. 4(c)(i). Testing the phone number String licensePhoneNumber = license.getProperty(p); if( licensePhoneNumber != null ) { //Uh, uh. An empty license returns null, we won't do any checks. TelephonyManager TelephonyMgr = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE); String devicePhoneNumber = TelephonyMgr.getLine1Number(); if(licensePhoneNumber.equals(devicePhoneNumber) == false) { throw new RuntimeException(** Phone Number Check Failed **); } } Remember that license now is an empty instance of Properties. The code above will say that it is a valid license, and so will all of your other tests as well. On 23 Juli, 12:11, Al Sutton a...@funkyandroid.com wrote: We don't provice jars specifically for this reason. The code to decode a license is less than 15 lines long and uses standard java classes (i.e. nothing specific to the system or even to Android). The code to test license properties is less than 10 lines and again uses only java classes. You can see the code athttp://andappstore.com/AndroidApplications/licensing_4.jsp This means that each application would need to go through a full track, crack, and re-compile cycle (which as others have said is non- trivial and takes a fair amount of time), and developers are free to move the decrypt/test code around between versions of their app which would then require another full track, crack, and re-compile cycle before the new version could be made available, which, for a 99c app, is not going to be worth the effort for most crackers. This part is
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Same here. I have successfully removed (by asking moderators of online forums) my app from multiple forums where it could be downloaded freely, but I have not been able to keep up lately :( It's a fact of life, alas. Every piece of software is pirated. I just hope that most people think that 99 cents or a couple of bucks is not worth getting a pirated version. A killswitch could do make it more difficult: Add code to your app that disables versions older than a given version. But with any 'protection' scheme, you want to avoid p%#ssing customers off. :-) On Jul 22, 9:30 am, Moto medicalsou...@gmail.com wrote: Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... So I want the help from all developers, we need to come up with something to make this at least harder to distribute. 1. Can we use phone numbers to register the application? And if illegally installed we got a phone number to use so pursue the pirate...? 2. Do we have access to the phones unique ID? This could be used to track who is using the application... How many illegal copies are runnning... There are ideas I have but will just go against the user friendliness ways of Android Please provide your ideas... thanks! -Moto! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Welcome to software development. There is no known way to stop software piracy short of software as a service (and don't worry, many very smart people have tried). If it really bothers you that much then write your software as a service and have the installed application be a dumb terminal. Android devices are always online so unless you want your app to work where there is no cell service (something that 95% of apps don't need) this is your best bet. On a more personal note, I very much hope that Android doesn't try to do anything about the piracy issue. What Google has already done in the name of anti-piracy (ADP can't purchase copyprotected apps, can't install to the SD card, etc.) has pissed people off and instead lead to more piracy (piracy is my only option for copy-protected content on my ADP1, and if you want to make your phone better and have 8GB of app storage than root it... you can also pirate then too). In the end, anything you do short of software as a service won't change a thing about how much your app gets pirated but it almost certainly will piss off your paying customers. I know I'm pissed off that my ADP1 can't buy off the marketplace and is limited to 100MB of app storage space instead of the 1GB of storage space available on the device, not counting all the 8GB SD cards I have lying around. If I had a choice (which I think I should as a developer) any apps I develop would be installable to SD instead of only to internal storage. This will result in my paying customers keeping the application installed longer and therefor improving my brand recognition. On Jul 22, 6:30 am, Moto medicalsou...@gmail.com wrote: Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... So I want the help from all developers, we need to come up with something to make this at least harder to distribute. 1. Can we use phone numbers to register the application? And if illegally installed we got a phone number to use so pursue the pirate...? 2. Do we have access to the phones unique ID? This could be used to track who is using the application... How many illegal copies are runnning... There are ideas I have but will just go against the user friendliness ways of Android Please provide your ideas... thanks! -Moto! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
2009/7/22 Micah mi...@ourmailbox.net application be a dumb terminal. Android devices are always online so What universe do you live in? There is no such thing as 100% network coverage on any phone network. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
2009/7/22 Moto medicalsou...@gmail.com Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... Yes, Google's brilliant solution to protecting apps on phones is stupid and only ends up crippling the phones. If you want to really protect your apps you could use something like slidelock... http://slideme.org/slidelock SlideLock uses cryptography and server based licensing checks to enforce proper protection for apps. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
On Jul 22, 6:41 am, Streets Of Boston flyingdutc...@gmail.com wrote: A killswitch could do make it more difficult: Add code to your app that disables versions older than a given version. Described here http://groups.google.com/group/android-developers/browse_thread/thread/c40769a07bb4c5c7/a04f37f84636087c?lnk=gstq=kill+switch#a04f37f84636087c This doesn't cut it any longer however if apk's are ripped on a daily basis. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I couldn't find much documentation on the site, but it doesn't look like it will stop piracy, only make it a bit harder. Once you get hold of the apk file, just modify it so that it isn't using slidelock any longer. On 22 Juli, 16:07, John Smith deltafoxtrot...@gmail.com wrote: 2009/7/22 Moto medicalsou...@gmail.com Sorry but I'm very mad about this situation! I found one of my applications on the web all over for free! Every time I do an update 1 day goes by and BAM! For free on the web... Yes, Google's brilliant solution to protecting apps on phones is stupid and only ends up crippling the phones. If you want to really protect your apps you could use something like slidelock... http://slideme.org/slidelock SlideLock uses cryptography and server based licensing checks to enforce proper protection for apps. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
It's a fact of life, alas. Every piece of software is pirated. I just hope that most people think that 99 cents or a couple of bucks is not worth getting a pirated version. Well said. Piracy will always exist. Our task, as a developer, is to create something that is so good so that people want to pay for it. Many developers think that people would pay for the application if they couldn't find a pirate version of it. That is probably not true. They are using it just because they found it for free. They would probably keep looking for a free alternative program if they hadn't found the free version of your application. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
2009/7/23 Moto medicalsou...@gmail.com I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. I disagree, this is the same silly logic google used in their app protection methods and look where that gets you really. If you rely on the fact that a user can't access their full device you are dreaming, people hack things down to the chip level and there will always be someone that find a bug in the OS to exploit it to give full access, so you need to come up with a method that doesn't assume the device will be secure or not. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
2009/7/23 Android Development indodr...@gmail.com Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. That's what slidelock does... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
okay. I think it is the only way out of this. A secret key that you generate and provide for each instance of the application sold. On Wed, Jul 22, 2009 at 8:27 PM, John Smith deltafoxtrot...@gmail.comwrote: 2009/7/23 Android Development indodr...@gmail.com Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. That's what slidelock does... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
2009/7/23 Kaj Bjurman kaj.bjur...@gmail.com I couldn't find much documentation on the site, but it doesn't look like it will stop piracy, only make it a bit harder. Once you get hold of the apk file, just modify it so that it isn't using slidelock any longer. The same could be said for all crypto, it's all a matter of time before it gets cracked, but that's never the point of security, prevention is impossible, but some methods are more laughable than others. I've never bothered to implement it, but it looked pretty strait forward from what I saw, you generate a key + licenses through their web interface and then add a bit of code to your app and then issue licenses to users. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
A while back Alias|Wavefront (now AutoDesk) tried the licensing server thing. If I'm not mistaken they even had a hardware token required to run their application and it still got cracked. That's an application that retails for $2000 a box, and they couldn't secure their software with a ridiculous amount of DRM. It's unlikely that a $5 phone app is going to do a much better job of things. That being said, I am not very familiar with licensing server DRM techniques (they aren't very common) so I can't speak specifically to the difficulty with cracking them. None the less, it still stands that you likely won't increase your customer base with solutions like this because people don't like it when their software has to phone- home to run. What happens if you go out of business and the licensing server goes down? What happens if I don't have network access? etc. On Jul 22, 8:04 am, John Smith deltafoxtrot...@gmail.com wrote: 2009/7/23 Micah mi...@ourmailbox.net The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). This is where things like the obfusticated code contest to help people hide things in plain sight, as for spoofing a licensing server bit hard to spoof things if they do things with a decent helping of RSA. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
2009/7/23 Micah mi...@ourmailbox.net A while back Alias|Wavefront (now AutoDesk) tried the licensing server thing. If I'm not mistaken they even had a hardware token required to run their application and it still got cracked. That's an application that retails for $2000 a box, and they couldn't secure their software with a ridiculous amount of DRM. It's unlikely that a $5 phone app is going to do a much better job of things. Exactly, people will spend time and effort cracking $2000 apps, they won't bother with most 99c apps. I bet they cracked the app, not the licensing server unless the licensing server was all plain text transfers. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Mmm slidelock sounds like I'm gonna try it... I guess that's another way to distribute an app instead of using the Android Market... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
There is also LM-X licensing server, that is promising. On Wed, Jul 22, 2009 at 9:03 PM, Moto medicalsou...@gmail.com wrote: Mmm slidelock sounds like I'm gonna try it... I guess that's another way to distribute an app instead of using the Android Market... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
What does the Android market send the developer when an app is purchased? Is there any sort of notification? -John Coryat --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
We've made an open offer to Google before (and it is still open) that we'd be happy to give them details of the AndAppStore licensing system which is documented at http://andappstore.com/AndroidApplications/licensing.jsp It's cryptographically secure, doesn't need network access once the license is on the users device, and the client source code is entirely open so people can inspect how it works to look for faults, so it's a big step up from the current copy protection system. Unfortunately so far there has been no interest in taking it up. Still, we can hope Al. -- * Written an Android App? - List it at http://andappstore.com/ * == Funky Android Limited is registered in England Wales with the company number 6741909. The registered head office is Kemp House, 152-160 City Road, London, EC1V 2NX, UK. The views expressed in this email are those of the author and not necessarily those of Funky Android Limited, it's associates, or it's subsidiaries. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Most games/applications that gets cracked use the same copy protection. It takes some time to crack the first software, the rest of them is just a walk in the park. On Jul 22, 5:24 pm, John Smith deltafoxtrot...@gmail.com wrote: 2009/7/23 Micah mi...@ourmailbox.net A while back Alias|Wavefront (now AutoDesk) tried the licensing server thing. If I'm not mistaken they even had a hardware token required to run their application and it still got cracked. That's an application that retails for $2000 a box, and they couldn't secure their software with a ridiculous amount of DRM. It's unlikely that a $5 phone app is going to do a much better job of things. Exactly, people will spend time and effort cracking $2000 apps, they won't bother with most 99c apps. I bet they cracked the app, not the licensing server unless the licensing server was all plain text transfers. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01 pm, Micah mi...@ourmailbox.net wrote: The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a single library which can be stripped out and replaced with an always return true version. 3) Detect spoof servers because a spoof server will be unable to return a properly encrypted file and thus developers can detect decryption errors and mark them as spoofing attempts. Al. On Jul 22, 6:50 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01 pm, Micah mi...@ourmailbox.net wrote: The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
You have to log into the Market Developer Console to see purchases. They don't send email notifications like some of the other online stores do. Maps.Huge.Info (Maps API Guru) wrote: What does the Android market send the developer when an app is purchased? Is there any sort of notification? -John Coryat --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---
[android-developers] Re: ALL DEVELOPERS PIRATED APPLICATION ALL OVER!
There is a parallel world out there where it is ok to distribute applications that we all have shed sweat and blood to build see here : http://www.ipmart-forum.com/archive/index.php/t-337082.html Can't stop them, like someone pointed out earlier; not sure the creators of Android would ever care, since an underworld like this will only increase ad revenues as well as device penetration. The only ones who may be hurt would be small app developers. You can either put up and hope that your revenues come from people who play by rules, and hope that some amount of piracy would actually help make your software popular. -g On Jul 22, 10:58 am, Al Sutton a...@funkyandroid.com wrote: That form of approach is one of the main reasons the AndAppStore system can download an encrypted license to the device which can be stored and decrypted as neccessary. This means developers can; 1) Occasionally check the license is still valid by retrying to download it, and if it doesn't download due to a network/server error the app can use the locally cached copy. 2) Because the client code is open developers can embed it wherever they want in their program logic as opposed to being a single library which can be stripped out and replaced with an always return true version. 3) Detect spoof servers because a spoof server will be unable to return a properly encrypted file and thus developers can detect decryption errors and mark them as spoofing attempts. Al. On Jul 22, 6:50 pm, Kaj Bjurman kaj.bjur...@gmail.com wrote: Correct, Removing the part that makes the requests, and just return true is what people usually are doing. On Jul 22, 5:01 pm, Micah mi...@ourmailbox.net wrote: The pirates will either strip out the licensing requests from the application or they will spoof a licensing server. Meanwhile, your legitimate users can't use your application when they don't have access to the licensing server (it's down, they don't have internet access, etc.). On Jul 22, 7:55 am, Android Development indodr...@gmail.com wrote: Maybe an activation licensing key for each binary may be the solution for this. But then again, its easier said than done. On Wed, Jul 22, 2009 at 8:20 PM, Moto medicalsou...@gmail.com wrote: I know that piracy will never end, I mean I'm a solo developer trying to fight a war that multi-million companies have spent many millions on protecting their content and still they get pirated... Well yes there could be some ugly side effect if google adds more anti- pirating features, so I guess I'm not too much for that... But I believe there could be a better Android Market system that allows anyone with a phone to purchase an app and put it on their SDcard. Why not do the following? 1. User purchases app via Android Market. 2. Phone sends unique ID IME? to server. 3. Android Market server prepares application with encryption according to given phone information. 4. Application downloads to phone. put it anywhere, SD card.. etc... 5. Application only installs on the correct phone. I know this method would soon or later be hacked but it's a better way than current methods, since we still have those faulty Android version that allow rooting.. -Jona- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~--~~~~--~~--~--~---