On Wed, Aug 25, 2010 at 8:13 AM, keyeslabs <keyes...@gmail.com> wrote: > Again, my contention is that something stronger than obfuscation is > needed to lock the APK down. OS-level APK encryption support in > addition to license verification. I would like to see us get to the > point that users must choose to root the phone (similar to Apple) in > order to use pirated apps. Better yet, users must root the phone and > in so doing remove the legal ability to access some desirable piece of > software.
Yeah there we are. As far as I can see, the next step in preventing piracy is to not allow users to install apps outside of Market at all.
We're not going to do that.
If there are other suggestions that will actually make things harder without doing that, I would certainly like to hear them. At this point people need to modify apps; once they are doing that, there aren't too many more things to do except make it harder to remove the illegal use check code out of the app.
> I realize that it's easy for me to rant on about what I want, and very > difficult for Google to strike the right balance between open and > lucrative. My fear at this point is that we're establishing a culture > of piracy on Android that is going to be difficult to turn around.
Um there is a culture of piracy *everywhere*. :}
If you are saying that because you think most people are pirating Android apps... I think your perception of things is probably pretty off. I know lots of people who have Android devices, and none of them even think of turning on the option to install from external sources, let alone go out and find pirated apps.
Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
On Wed, Aug 25, 2010 at 5:25 AM, keyeslabs <keyes...@gmail.com> wrote: > I don't completely buy the assertion that PR wasn't part of the > equation in designing, announcing, blogging, and writing press > releases about LVL. Piracy is one of the biggest thorns in the side > of Android at the moment. If Google doesn't recognize that as both a > technical AND a PR problem, then the platform is in for a very bumpy > ride from an application developer's perspective.
I think I'll bow out of this discussion. It looks like you are trying to read the worst in what I write, so I don't think there is much more useful we can discuss here.
Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
> If there are other suggestions that will actually make things harder > without doing that, I would certainly like to hear them.
Um, make the Market App side of LVL check that the application making LVL calls is signed with the same key as the .apk uploaded to Developer Home?
Seems this would make attacks based on code modifications pretty much impossible, since a modified .apk is signed with a different key from the developer's.
Sorry if things are coming off that way Dianne. I'm passionate about
this topic (obviously), but I only admire and respect you (in
particular) and the Android team in general. You've saved my butt
more than once. :)
I'm invested here. I'm all in on Android and success of the platform
matters to me. I want you to succeed just as much as I'm assuming you
want developers to succeed.
On Aug 25, 1:05 pm, Dianne Hackborn <hack...@android.com> wrote:
> On Wed, Aug 25, 2010 at 5:25 AM, keyeslabs <keyes...@gmail.com> wrote:
> > I don't completely buy the assertion that PR wasn't part of the
> > equation in designing, announcing, blogging, and writing press
> > releases about LVL. Piracy is one of the biggest thorns in the side
> > of Android at the moment. If Google doesn't recognize that as both a
> > technical AND a PR problem, then the platform is in for a very bumpy
> > ride from an application developer's perspective.
> I think I'll bow out of this discussion. It looks like you are trying to
> read the worst in what I write, so I don't think there is much more useful
> we can discuss here.
> Note: please don't send private questions to me, as I don't have time to
> provide private support, and so won't reply to such e-mails. All such
> questions should be posted on public forums, where I and others can see and
> answer them.
I'm not sure how this would make code modification impossible?
You patch the application, make it always return a "yes, it was ok" to
the licensing service inside the apk. Application then requests
authentication, it fails, failure comes to application which still
continues to say "yes, it was ok".
So yes, your going to have the market return a fail always, but if
you've patched the application to *not* care, how is that actually
helping?
-Tim
On Aug 25, 10:13 am, Kostya Vasilyev <kmans...@gmail.com> wrote:
> 25.08.2010 21:04, Dianne Hackborn пишет:> If there are other suggestions that will actually make things harder
> > without doing that, I would certainly like to hear them.
> Um, make the Market App side of LVL check that the application making
> LVL calls is signed with the same key as the .apk uploaded to Developer
> Home?
> Seems this would make attacks based on code modifications pretty much
> impossible, since a modified .apk is signed with a different key from
> the developer's.
> Yeah there we are. As far as I can see, the next step in preventing piracy
> is to not allow users to install apps outside of Market at all.
> We're not going to do that.
That's not what I was picturing. Isn't there some way that we could
do both? Apps downloaded from market could be encrypted and only
decrypted by the OS when used (in real time, never decrypted and left
as an open APK on the device). I guess what I'm looking for is the
market to encrypt and sign an APK in real time for a particular user/
phone when downloaded. Each download would result in different bytes
for each user/phone
This doesn't necessarily preclude the installation of unencrypted apps
does it? I totally agree that we need app distribution capabilities
outside the context of Android Market -- it's a necessity for an open
platform.
In a nutshell, what I'm hoping LVL can grow into is a system that
packages license verification in a way that is really really hard to
remove. It seems like we've got half of that equation nicely under
way with LVL in its current form.
Dave
On Aug 25, 1:04 pm, Dianne Hackborn <hack...@android.com> wrote:
> On Wed, Aug 25, 2010 at 8:13 AM, keyeslabs <keyes...@gmail.com> wrote:
> > Again, my contention is that something stronger than obfuscation is
> > needed to lock the APK down. OS-level APK encryption support in
> > addition to license verification. I would like to see us get to the
> > point that users must choose to root the phone (similar to Apple) in
> > order to use pirated apps. Better yet, users must root the phone and
> > in so doing remove the legal ability to access some desirable piece of
> > software.
> Yeah there we are. As far as I can see, the next step in preventing piracy
> is to not allow users to install apps outside of Market at all.
> We're not going to do that.
> If there are other suggestions that will actually make things harder without
> doing that, I would certainly like to hear them. At this point people need
> to modify apps; once they are doing that, there aren't too many more things
> to do except make it harder to remove the illegal use check code out of the
> app.
> > I realize that it's easy for me to rant on about what I want, and very
> > difficult for Google to strike the right balance between open and
> > lucrative. My fear at this point is that we're establishing a culture
> > of piracy on Android that is going to be difficult to turn around.
> Um there is a culture of piracy *everywhere*. :}
> If you are saying that because you think most people are pirating Android
> apps... I think your perception of things is probably pretty off. I know
> lots of people who have Android devices, and none of them even think of
> turning on the option to install from external sources, let alone go out and
> find pirated apps.
> Note: please don't send private questions to me, as I don't have time to
> provide private support, and so won't reply to such e-mails. All such
> questions should be posted on public forums, where I and others can see and
> answer them.
> Um there is a culture of piracy *everywhere*. :}
> If you are saying that because you think most people are pirating Android
> apps... I think your perception of things is probably pretty off. I know
> lots of people who have Android devices, and none of them even think of
> turning on the option to install from external sources, let alone go out and
> find pirated apps.
You're correct. My perception could very well be off. Without a
doubt I see VERY high piracy rates on my software in Android market
(see here: bit.ly/9ZYrh7). In my paranoid mind I've always
distributed this tendency towards piracy uniformly across the Android
user base.
I think that it's a good point that this is likely NOT true though.
As many have pointed out, piracy is motivated by different things,
including the inability to purchase from the market, over-priced apps,
etc. These motivations don't exist everywhere or for every app, and
so my guess is that there are piracy hot spots around the globe.
Actually, that would be a very interesting study. I think that I may
even have the raw data to do it for my own app. My app tracks coarse-
grained (city-level) location information, and I think that I could
extract that same information from Google Checkout records. I smell a
weekend going up in smoke... :)
Dave
On Aug 25, 1:04 pm, Dianne Hackborn <hack...@android.com> wrote:
> On Wed, Aug 25, 2010 at 8:13 AM, keyeslabs <keyes...@gmail.com> wrote:
> > Again, my contention is that something stronger than obfuscation is
> > needed to lock the APK down. OS-level APK encryption support in
> > addition to license verification. I would like to see us get to the
> > point that users must choose to root the phone (similar to Apple) in
> > order to use pirated apps. Better yet, users must root the phone and
> > in so doing remove the legal ability to access some desirable piece of
> > software.
> Yeah there we are. As far as I can see, the next step in preventing piracy
> is to not allow users to install apps outside of Market at all.
> We're not going to do that.
> If there are other suggestions that will actually make things harder without
> doing that, I would certainly like to hear them. At this point people need
> to modify apps; once they are doing that, there aren't too many more things
> to do except make it harder to remove the illegal use check code out of the
> app.
> > I realize that it's easy for me to rant on about what I want, and very
> > difficult for Google to strike the right balance between open and
> > lucrative. My fear at this point is that we're establishing a culture
> > of piracy on Android that is going to be difficult to turn around.
> Um there is a culture of piracy *everywhere*. :}
> If you are saying that because you think most people are pirating Android
> apps... I think your perception of things is probably pretty off. I know
> lots of people who have Android devices, and none of them even think of
> turning on the option to install from external sources, let alone go out and
> find pirated apps.
> Note: please don't send private questions to me, as I don't have time to
> provide private support, and so won't reply to such e-mails. All such
> questions should be posted on public forums, where I and others can see and
> answer them.
> That's not what I was picturing. Isn't there some way that we could > do both? Apps downloaded from market could be encrypted and only > decrypted by the OS when used (in real time, never decrypted and left > as an open APK on the device). I guess what I'm looking for is the > market to encrypt and sign an APK in real time for a particular user/ > phone when downloaded. Each download would result in different bytes > for each user/phone
> This doesn't necessarily preclude the installation of unencrypted apps > does it? I totally agree that we need app distribution capabilities > outside the context of Android Market -- it's a necessity for an open > platform.
> In a nutshell, what I'm hoping LVL can grow into is a system that > packages license verification in a way that is really really hard to > remove. It seems like we've got half of that equation nicely under > way with LVL in its current form.
How about allowing the dev to specify response int values in the Dev Console?
The recent "crack" script would (probably) not be able to work out which code means what. Therefore, a pirate would have to crack each app individually.
That's right isn't it? The automation only works because LICENSED is always the same int value...
On 25 August 2010 19:31, strazzere <str...@gmail.com> wrote:
> I'm not sure how this would make code modification impossible?
> You patch the application, make it always return a "yes, it was ok" to > the licensing service inside the apk. Application then requests > authentication, it fails, failure comes to application which still > continues to say "yes, it was ok".
> So yes, your going to have the market return a fail always, but if > you've patched the application to *not* care, how is that actually > helping?
> -Tim
> On Aug 25, 10:13 am, Kostya Vasilyev <kmans...@gmail.com> wrote: > > 25.08.2010 21:04, Dianne Hackborn пишет:> If there are other > suggestions that will actually make things harder > > > without doing that, I would certainly like to hear them.
> > Um, make the Market App side of LVL check that the application making > > LVL calls is signed with the same key as the .apk uploaded to Developer > > Home?
> > Seems this would make attacks based on code modifications pretty much > > impossible, since a modified .apk is signed with a different key from > > the developer's.
> -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to android-developers@googlegroups.com > To unsubscribe from this group, send email to > android-developers+unsubscribe@googlegroups.com<android-developers%2Bunsubs cribe@googlegroups.com> > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en
Isn't that only because the APK gets decrypted and written to "disk"
as opposed to only being done in transient memory as the application
is launched? There's an application startup overhead obviously to
decrypting the APK on-the-fly, but seems like a much higher bar than
just cp /data/app/foo.apk...
Dave
On Aug 25, 1:50 pm, Michael MacDonald <googlec...@antlersoft.com>
wrote:
> Encrypting the .apk is like forward-locking; it is easily defeated on
> rooted phones.
> On 08/25/10 13:33, keyeslabs wrote:
> > That's not what I was picturing. Isn't there some way that we could
> > do both? Apps downloaded from market could be encrypted and only
> > decrypted by the OS when used (in real time, never decrypted and left
> > as an open APK on the device). I guess what I'm looking for is the
> > market to encrypt and sign an APK in real time for a particular user/
> > phone when downloaded. Each download would result in different bytes
> > for each user/phone
> > This doesn't necessarily preclude the installation of unencrypted apps
> > does it? I totally agree that we need app distribution capabilities
> > outside the context of Android Market -- it's a necessity for an open
> > platform.
> > In a nutshell, what I'm hoping LVL can grow into is a system that
> > packages license verification in a way that is really really hard to
> > remove. It seems like we've got half of that equation nicely under
> > way with LVL in its current form.
Removing or stubbing calls to licensing service inside Market App is difficult, since those calls use encrypted responses. This is not trivial to mess with.
The LVL library and the application, or the communication between them, is the easier point of attack. In fact, the original blog post described a hack that messed with the way the application communicated with the LVL.
A hack that is not overly complicated makes an application that still communicates with Android Market, but, because of code changes, is signed with a new key. This is the case that can be detected.
> I'm not sure how this would make code modification impossible?
> You patch the application, make it always return a "yes, it was ok" to > the licensing service inside the apk. Application then requests > authentication, it fails, failure comes to application which still > continues to say "yes, it was ok".
> So yes, your going to have the market return a fail always, but if > you've patched the application to *not* care, how is that actually > helping?
> -Tim
> On Aug 25, 10:13 am, Kostya Vasilyev<kmans...@gmail.com> wrote: >> 25.08.2010 21:04, Dianne Hackborn пишет:> If there are other suggestions that will actually make things harder >>> without doing that, I would certainly like to hear them. >> Um, make the Market App side of LVL check that the application making >> LVL calls is signed with the same key as the .apk uploaded to Developer >> Home?
>> Seems this would make attacks based on code modifications pretty much >> impossible, since a modified .apk is signed with a different key from >> the developer's.
I agree and I don't see how people are missing this valuable point you
make Mark.
Currently we are at: crackers must modify the program code to allow
piracy
From here there are two ways to make piracy more difficult:
A) Make secure, non-rooted phones reject apps so that even a cracked
app won't run on a stock phone
B) Make crackers actually have to write code instead of just flip a
dalvik op somewhere
The problem with A is that for every app name SuperCoolWidget, there
could exist an app called SuperAwesomeWidget that has the same code
minus the call to LVL, so Google would have to disallow all non-market
apps to really make this work. Also, say for example they *did* want
to pursue this route. Obviously disabling side-loading isn't on the
table. But if say you wanted to check an applications full name
com.appdev.android.supercoolwidget etc to make sure that it isn't on
the market and doesn't have a checkmark that says "prevent
sideloading". Then at the very least now phones need a valid internet
connection to side load an app. So it's not going to be just a war
against pirates it's also to some extend degrading honest customers'
experiences.
I think the reliance on binder -> Market probably is going to make
automated cracks a little easier for pirates since I feel like these
kinds of calls will be easy to automatically find in apps.
So the final security measure B) is to simply make the hackers have to
write code. Granted I'm no security expert, but it seems to me that
the only thing that can be done is on the google LVL server. You can
upload a simple java class with a function that takes in:
Some basic information about the device the app is supposedly
installed on, possibly something time based like an integer that is
based on the date that the security policy of the app would determine
as the expiration date of the last LVL authentication. And returns an
array of bytes. The function wouldn't have access to any java
threading etc, and would be limited to a short runtime or something.
Then developers would have to make a call to LVL, then do something
like getSettings().setImportantSetting(lvlResponseData[5] +
lvlResponseData[1] - phone.DeviceSpecificInformation +
lvlAuthExpirationDateInt)
Where the online service feeds it data that will balance out with the
code in the apk to actually result in the value the setting is
supposed to have. really it becomes like a complex captcha for
crackers. They can still crack an app. But more importantly is the
actual obfuscation, like say you need a 5 in your code, you could use
an LVL web service which knows the specifics of your app to generate a
5 as well as generate the server side function that outputs the data
necessary.
So that hackers would have to figure out each time you update your app
how to crack it manually. That is what will actually stop the value of
piracy. Updates. If your app receives constant updates but people
pirating your app have to stick with an old one because the hackers
can't be bothered to keep cracking your app over and over again that
is the only way.
Of course I don't really see it being worth it, but I don't see any
other way to make the system more secure without moving a piece of
your code into the cloud.
-E
On Aug 25, 10:55 am, Mark Carter <mjc1...@googlemail.com> wrote:
> How about allowing the dev to specify response int values in the Dev
> Console?
> The recent "crack" script would (probably) not be able to work out which
> code means what. Therefore, a pirate would have to crack each app
> individually.
> That's right isn't it? The automation only works because LICENSED is always
> the same int value...
> On 25 August 2010 19:31, strazzere <str...@gmail.com> wrote:
> > I'm not sure how this would make code modification impossible?
> > You patch the application, make it always return a "yes, it was ok" to
> > the licensing service inside the apk. Application then requests
> > authentication, it fails, failure comes to application which still
> > continues to say "yes, it was ok".
> > So yes, your going to have the market return a fail always, but if
> > you've patched the application to *not* care, how is that actually
> > helping?
> > -Tim
> > On Aug 25, 10:13 am, Kostya Vasilyev <kmans...@gmail.com> wrote:
> > > 25.08.2010 21:04, Dianne Hackborn пишет:> If there are other
> > suggestions that will actually make things harder
> > > > without doing that, I would certainly like to hear them.
> > > Um, make the Market App side of LVL check that the application making
> > > LVL calls is signed with the same key as the .apk uploaded to Developer
> > > Home?
> > > Seems this would make attacks based on code modifications pretty much
> > > impossible, since a modified .apk is signed with a different key from
> > > the developer's.
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Android Developers" group.
> > To post to this group, send email to android-developers@googlegroups.com
> > To unsubscribe from this group, send email to
> > android-developers+unsubscribe@googlegroups.com<android-developers%2Bunsubs cribe@googlegroups.com>
> > For more options, visit this group at
> >http://groups.google.com/group/android-developers?hl=en
Hi String , i have uploaded and saved my new licensed version 2 of my
application on market. And testing on my emulator but its still not
allowing. My version 2 is still not published? Moreover, application
licensed version 1 was running fine.Help me plzz..
Thanks,
On Aug 21, 2:29 pm, String <sterling.ud...@googlemail.com> wrote:
> I think you need to upload an APK with versioncode="2" to your Market
> console. You don't need to publish it, but you do need to upload and
> save that version before LVL will give a correct response for it.
> String
> On Aug 21, 9:15 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> > Hi all,
> > I am facing the problem in licensing of my old published paid apps.
> > Basically i have paid app which is published by version code 1. I
> > implemented the license code on it, it working fine to me. Licensing
> > server giving the response or allow that you can use it. But once i
> > changed version code from 1 to 2 in manifest file, then licensing
> > service not allow to use the app.Server giving the response dont
> > allow. I not understanderd, y it has relation with version code? i
> > can't publish the update version.???
> > Moreover, i am already login to my publisher account, i have setting
> > of LICENSED in edit profile section.
> > Is any body can help me?...... Helppppp
> > On Jul 28, 1:19 am, Kaj Bjurman <kaj.bjur...@gmail.com> wrote:
> > > I saw that entry, and have a question.
> > > What will happen if the user doesn't have network connectivity? Many
> > > users turn of data traffic when they travel to other countries, but
> > > the probably still want to use the licensed applications.
> > > > Android fans,
> > > > For those of you who haven't already heard through our blog, we've
> > > > just launched the Android Market licensing service:
> > > > "This simple and free service provides a secure mechanism to manage
> > > > access to all Android Market paid applications targeting Android 1.5
> > > > or higher. At run time, with the inclusion of a set of libraries
> > > > provided by us, your application can query the Android Market
> > > > licensing server to determine the license status of your users. It
> > > > returns information on whether your users are authorized to use the
> > > > app based on stored sales records."
> > > > Developer documentation is available here:
> > Um there is a culture of piracy *everywhere*. :}
> > If you are saying that because you think most people are pirating Android
> > apps... I think your perception of things is probably pretty off. I know
> > lots of people who have Android devices, and none of them even think of
> > turning on the option to install from external sources, let alone go out and
> > find pirated apps.
> You're correct. My perception could very well be off. Without a
> doubt I see VERY high piracy rates on my software in Android market
> (see here: bit.ly/9ZYrh7). In my paranoid mind I've always
> distributed this tendency towards piracy uniformly across the Android
> user base.
> I think that it's a good point that this is likely NOT true though.
> As many have pointed out, piracy is motivated by different things,
> including the inability to purchase from the market, over-priced apps,
> etc. These motivations don't exist everywhere or for every app, and
> so my guess is that there are piracy hot spots around the globe.
> Actually, that would be a very interesting study. I think that I may
> even have the raw data to do it for my own app. My app tracks coarse-
> grained (city-level) location information, and I think that I could
> extract that same information from Google Checkout records. I smell a
> weekend going up in smoke... :)
> Dave
> On Aug 25, 1:04 pm, Dianne Hackborn <hack...@android.com> wrote:
> > On Wed, Aug 25, 2010 at 8:13 AM, keyeslabs <keyes...@gmail.com> wrote:
> > > Again, my contention is that something stronger than obfuscation is
> > > needed to lock the APK down. OS-level APK encryption support in
> > > addition to license verification. I would like to see us get to the
> > > point that users must choose to root the phone (similar to Apple) in
> > > order to use pirated apps. Better yet, users must root the phone and
> > > in so doing remove the legal ability to access some desirable piece of
> > > software.
> > Yeah there we are. As far as I can see, the next step in preventing piracy
> > is to not allow users to install apps outside of Market at all.
> > We're not going to do that.
> > If there are other suggestions that will actually make things harder without
> > doing that, I would certainly like to hear them. At this point people need
> > to modify apps; once they are doing that, there aren't too many more things
> > to do except make it harder to remove the illegal use check code out of the
> > app.
> > > I realize that it's easy for me to rant on about what I want, and very
> > > difficult for Google to strike the right balance between open and
> > > lucrative. My fear at this point is that we're establishing a culture
> > > of piracy on Android that is going to be difficult to turn around.
> > Um there is a culture of piracy *everywhere*. :}
> > If you are saying that because you think most people are pirating Android
> > apps... I think your perception of things is probably pretty off. I know
> > lots of people who have Android devices, and none of them even think of
> > turning on the option to install from external sources, let alone go out and
> > find pirated apps.
> > Note: please don't send private questions to me, as I don't have time to
> > provide private support, and so won't reply to such e-mails. All such
> > questions should be posted on public forums, where I and others can see and
> > answer them.
HI Trevor Johns. i am testing in AVD of froyo 2.2 (Google API) and
login with my market account in google account. The question is that
when i changed the my app version from 1 to 2, google licensing server
not allowing me to use app. Where when i again change it to 2 from 1,
its allowin me to use app. So in short, app version 1 is working fine
where app version 2 not.What mistake i am doing ? Please help me....
THANKS...
On Jul 27, 10:55 pm, Trevor Johns <trevorjo...@google.com> wrote:
> "This simple and free service provides a secure mechanism to manage
> access to all Android Market paid applications targeting Android 1.5
> or higher. At run time, with the inclusion of a set of libraries
> provided by us, your application can query the Android Market
> licensing server to determine the license status of your users. It
> returns information on whether your users are authorized to use the
> app based on stored sales records."
I suggest you start a new thread for this issue; this "sticky" topic
is better used for generalized discussion of LVL, not debugging of
individual issues.
String
On Aug 26, 5:31 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> Hi String , i have uploaded and saved my new licensed version 2 of my
> application on market. And testing on my emulator but its still not
> allowing. My version 2 is still not published? Moreover, application
> licensed version 1 was running fine.Help me plzz..
> Thanks,
> On Aug 21, 2:29 pm, String <sterling.ud...@googlemail.com> wrote:
> > I think you need to upload an APK with versioncode="2" to your Market
> > console. You don't need to publish it, but you do need to upload and
> > save that version before LVL will give a correct response for it.
> > String
> > On Aug 21, 9:15 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> > > Hi all,
> > > I am facing the problem in licensing of my old published paid apps.
> > > Basically i have paid app which is published by version code 1. I
> > > implemented the license code on it, it working fine to me. Licensing
> > > server giving the response or allow that you can use it. But once i
> > > changed version code from 1 to 2 in manifest file, then licensing
> > > service not allow to use the app.Server giving the response dont
> > > allow. I not understanderd, y it has relation with version code? i
> > > can't publish the update version.???
> > > Moreover, i am already login to my publisher account, i have setting
> > > of LICENSED in edit profile section.
> > > Is any body can help me?...... Helppppp
> > > On Jul 28, 1:19 am, Kaj Bjurman <kaj.bjur...@gmail.com> wrote:
> > > > I saw that entry, and have a question.
> > > > What will happen if the user doesn't have network connectivity? Many
> > > > users turn of data traffic when they travel to other countries, but
> > > > the probably still want to use the licensed applications.
> > > > > Android fans,
> > > > > For those of you who haven't already heard through our blog, we've
> > > > > just launched the Android Market licensing service:
> > > > > "This simple and free service provides a secure mechanism to manage
> > > > > access to all Android Market paid applications targeting Android 1.5
> > > > > or higher. At run time, with the inclusion of a set of libraries
> > > > > provided by us, your application can query the Android Market
> > > > > licensing server to determine the license status of your users. It
> > > > > returns information on whether your users are authorized to use the
> > > > > app based on stored sales records."
> > > > > Developer documentation is available here:
> I suggest you start a new thread for this issue; this "sticky" topic
> is better used for generalized discussion of LVL, not debugging of
> individual issues.
> String
> On Aug 26, 5:31 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> > Hi String , i have uploaded and saved my new licensed version 2 of my
> > application on market. And testing on my emulator but its still not
> > allowing. My version 2 is still not published? Moreover, application
> > licensed version 1 was running fine.Help me plzz..
> > Thanks,
> > On Aug 21, 2:29 pm, String <sterling.ud...@googlemail.com> wrote:
> > > I think you need to upload an APK with versioncode="2" to your Market
> > > console. You don't need to publish it, but you do need to upload and
> > > save that version before LVL will give a correct response for it.
> > > String
> > > On Aug 21, 9:15 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> > > > Hi all,
> > > > I am facing the problem in licensing of my old published paid apps.
> > > > Basically i have paid app which is published by version code 1. I
> > > > implemented the license code on it, it working fine to me. Licensing
> > > > server giving the response or allow that you can use it. But once i
> > > > changed version code from 1 to 2 in manifest file, then licensing
> > > > service not allow to use the app.Server giving the response dont
> > > > allow. I not understanderd, y it has relation with version code? i
> > > > can't publish the update version.???
> > > > Moreover, i am already login to my publisher account, i have setting
> > > > of LICENSED in edit profile section.
> > > > Is any body can help me?...... Helppppp
> > > > On Jul 28, 1:19 am, Kaj Bjurman <kaj.bjur...@gmail.com> wrote:
> > > > > I saw that entry, and have a question.
> > > > > What will happen if the user doesn't have network connectivity? Many
> > > > > users turn of data traffic when they travel to other countries, but
> > > > > the probably still want to use the licensed applications.
> > > > > > Android fans,
> > > > > > For those of you who haven't already heard through our blog, we've
> > > > > > just launched the Android Market licensing service:
> > > > > > "This simple and free service provides a secure mechanism to manage
> > > > > > access to all Android Market paid applications targeting Android 1.5
> > > > > > or higher. At run time, with the inclusion of a set of libraries
> > > > > > provided by us, your application can query the Android Market
> > > > > > licensing server to determine the license status of your users. It
> > > > > > returns information on whether your users are authorized to use the
> > > > > > app based on stored sales records."
> > > > > > Developer documentation is available here:
> In a nutshell, what I'm hoping LVL can grow into is a system that
> packages license verification in a way that is really really hard to
> remove. It seems like we've got half of that equation nicely under
> way with LVL in its current form.
The sort of anti-piracy system you're after is essentially what games
consoles use - it's very easy for the developer, in fact, they need do
nothing at all and (for games distributed online) they are piracy
proof.
But the costs of this system are enormous, and problematically, fall
squarely on the device manufacturer (Microsoft/Sony). If Android were
to try and adopt this sort of scheme, you can forget about
- Competing hardware vendors
- Frequent new hardware releases
- Cost-competitive devices (ie they'd be more expensive than the
iPhone)
- Open source
Android obviously chose to go down the route of having a competitive
hardware and software space, at the cost of having piracy.
There is a phone platform that matches the above criteria, the iPhone,
but Apple didn't bother to make the investment in security required so
you get all the downsides and none of the upsides.
> That's not what I was picturing. Isn't there some way that we could
> do both? Apps downloaded from market could be encrypted and only
> decrypted by the OS when used (in real time, never decrypted and left
> as an open APK on the device).
This is easily defeated by modifying the (open source!) runtime to
dump the decrypted version.
Worse, once done it applies to every app. We're back to the universal
crack.
The reason I keep harping on about strong, app specific code
obfuscation etc is precisely because you DO need to encrypt your app
but you DON'T want to do it the same way as everyone else, which an
Android provided solution would imply.
Nothing says there can't be a PC-style reusable toolkit that you can
easily integrate into your app, but it'd be provided by third parties
rather than the Android project.
> Not with this system as far as I'm aware - users will have to purchase
> a new license when changing to a phone running a different OS.
> You'll have to continue using your own system if you want this kind of
> functionality.
> On Jul 28, 12:44 pm, sblantipodi <perini.dav...@dpsoftware.org> wrote:
> > Hi all...
> > When you bought my software you bought a license, this license can be
> > ported from android to other platform like Symbian, Winmob, bada,
> > JavaME, Blackberry...
> > Every customers who bought my license is registered on our database,
> > (email address and device id),
> > this let me generate a new activation code in case he want to switch
> > the license from android to xx platform.
> > Is there an easy way to update my database when a customer bought my
> > software with the email address and device id of the customer who
> > bought the software or legally activated it?
> in my set-up. No idea where these classes are. My fault I am sure....
> On Jul 28, 5:01 pm, Joseph Earl <joseph.w.e...@gmail.com> wrote:
> > Not with this system as far as I'm aware - users will have to purchase
> > a new license when changing to a phone running a different OS.
> > You'll have to continue using your own system if you want this kind of
> > functionality.
> > On Jul 28, 12:44 pm, sblantipodi <perini.dav...@dpsoftware.org> wrote:
> > > Hi all...
> > > When you bought my software you bought a license, this license can be
> > > ported from android to other platform like Symbian, Winmob, bada,
> > > JavaME, Blackberry...
> > > Every customers who bought my license is registered on our database,
> > > (email address and device id),
> > > this let me generate a new activation code in case he want to switch
> > > the license from android to xx platform.
> > > Is there an easy way to update my database when a customer bought my
> > > software with the email address and device id of the customer who
> > > bought the software or legally activated it?
> in my set-up. No idea where these classes are. My fault I am sure....
> On Jul 28, 5:01 pm, Joseph Earl <joseph.w.e...@gmail.com> wrote:> Not with this system as far as I'm aware - users will have to purchase
> > a new license when changing to a phone running a different OS.
> > You'll have to continue using your own system if you want this kind of
> > functionality.
> > On Jul 28, 12:44 pm, sblantipodi <perini.dav...@dpsoftware.org> wrote:
> > > Hi all...
> > > When you bought my software you bought a license, this license can be
> > > ported from android to other platform like Symbian, Winmob, bada,
> > > JavaME, Blackberry...
> > > Every customers who bought my license is registered on our database,
> > > (email address and device id),
> > > this let me generate a new activation code in case he want to switch
> > > the license from android to xx platform.
> > > Is there an easy way to update my database when a customer bought my
> > > software with the email address and device id of the customer who
> > > bought the software or legally activated it?
>how a pirated app can be updated 5 minutes after a submission ?
I actually have seen a repeatable case where the Market app will start
tracking an app as if it were purchased when it wasn't. Back when my
G1 was running Android 1.5, I had one of my paid apps installed
already, then tried to buy it in the Market to test if purchasing was
working correctly. This results in an error during the checkout
process because you can't buy your own app, so there is no charge to
your Google Checkout account, but after that error, the Market app
started treating the install as if it had been done by the Market app.
It let me post a comment, etc. whereas it hadn't before. This was
fixed in later versions, but I'm just bringing it up as an example of
where the Market app on the phone can behave as if you own something
that presumably the Google servers know you don't.
Additionally, I've seen threads elsewhere by people with rooted phones
where they were intentionally changing things in the Market app's
database. This was being done to fix the problem where the Market
never starts a download. I get that a lot myself, but I don't have any
rooted phones, so I'm stuck doing the clear various app's data from
the settings magic ritual to fix that problem. But, anyway, I'm just
bringing this second thing up as an example of where some phone owners
intentionally manipulate the Market app's database. I've also seen
people list the database schema it uses as well.
In conclusion, I wouldn't be surprised if it were possible to tweak
the Market app database on a rooted phone to make it think it had
installed an app that was really obtained via piracy. Thereafter it
might offer to update the app automatically, just like any other app
it had installed.
Phew, there's probably a simpler situation out there that is more
likely, but that's an interesting one that comes to mind.
People do scrape the market automatically for information to make
market listing web sites. Maybe others' scrape it automatically to
pull down any app as it appears in the just in section.
On Aug 28, 6:02 pm, Nicolas Thibaut <nthibau...@gmail.com> wrote:
> I have implemented the LVL to send event on private webservices each
> time the market respond an NOT ALLOWED.
> Five minutes after the submission to android market, some events were
> throwed.
> How can this be possible ?
> how a pirated app can be updated 5 minutes after a submission ?
> On 27 août, 08:11, String <sterling.ud...@googlemail.com> wrote:
> > I suggest you start a new thread for this issue; this "sticky" topic
> > is better used for generalized discussion of LVL, not debugging of
> > individual issues.
> > String
> > On Aug 26, 5:31 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> > > Hi String , i have uploaded and saved my new licensed version 2 of my
> > > application on market. And testing on my emulator but its still not
> > > allowing. My version 2 is still not published? Moreover, application
> > > licensed version 1 was running fine.Help me plzz..
> > > Thanks,
> > > On Aug 21, 2:29 pm, String <sterling.ud...@googlemail.com> wrote:
> > > > I think you need to upload an APK with versioncode="2" to your Market
> > > > console. You don't need to publish it, but you do need to upload and
> > > > save that version before LVL will give a correct response for it.
> > > > String
> > > > On Aug 21, 9:15 am, Feelsocial <feelsocial.andr...@gmail.com> wrote:
> > > > > Hi all,
> > > > > I am facing the problem in licensing of my old published paid apps.
> > > > > Basically i have paid app which is published by version code 1. I
> > > > > implemented the license code on it, it working fine to me. Licensing
> > > > > server giving the response or allow that you can use it. But once i
> > > > > changed version code from 1 to 2 in manifest file, then licensing
> > > > > service not allow to use the app.Server giving the response dont
> > > > > allow. I not understanderd, y it has relation with version code? i
> > > > > can't publish the update version.???
> > > > > Moreover, i am already login to my publisher account, i have setting
> > > > > of LICENSED in edit profile section.
> > > > > Is any body can help me?...... Helppppp
> > > > > On Jul 28, 1:19 am, Kaj Bjurman <kaj.bjur...@gmail.com> wrote:
> > > > > > I saw that entry, and have a question.
> > > > > > What will happen if the user doesn't have network connectivity? Many
> > > > > > users turn of data traffic when they travel to other countries, but
> > > > > > the probably still want to use the licensed applications.
> > > > > > > "This simple and free service provides a secure mechanism to manage
> > > > > > > access to all Android Market paid applications targeting Android 1.5
> > > > > > > or higher. At run time, with the inclusion of a set of libraries
> > > > > > > provided by us, your application can query the Android Market
> > > > > > > licensing server to determine the license status of your users. It
> > > > > > > returns information on whether your users are authorized to use the
> > > > > > > app based on stored sales records."
> > > > > > > Developer documentation is available here:
