Android Market Licensing: Now Available!

207 views
Skip to first unread message

Trevor Johns

unread,
Jul 27, 2010, 1:55:48 PM7/27/10
to Android Developers
Android fans,
For those of you who haven't already heard through our blog, we've
just launched the Android Market licensing service:

http://android-developers.blogspot.com/2010/07/licensing-service-for-android.html

From the above blog post:

"This simple and free service provides a secure mechanism to manage
access to all Android Market paid applications targeting Android 1.5
or higher. At run time, with the inclusion of a set of libraries
provided by us, your application can query the Android Market
licensing server to determine the license status of your users. It
returns information on whether your users are authorized to use the
app based on stored sales records."

Developer documentation is available here:

http://developer.android.com/guide/publishing/licensing.html

Happy coding!

--
Trevor Johns
Google Developer Programs, Android
http://developer.android.com

Shane Isbell

unread,
Jul 27, 2010, 2:03:37 PM7/27/10
to android-d...@googlegroups.com
Very cool.


--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-d...@googlegroups.com
To unsubscribe from this group, send email to
android-develop...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en



--
Shane Isbell (Founder of ZappMarket)
http://apps.facebook.com/zappmarket/

Maps.Huge.Info (Maps API Guru)

unread,
Jul 27, 2010, 2:25:14 PM7/27/10
to Android Developers
Excellent! Now all we need is a subscription payment model and we can
actually make some money!

-John Coryat

Anton Persson

unread,
Jul 27, 2010, 2:39:44 PM7/27/10
to android-d...@googlegroups.com
That, and the ability for folks to actually access the paid-for apps... 

Sweden, like probably many countries still, have no access to the paid apps... When will Google understand that this is critical for them to keep the momentum? If the status quo persists, people we give up, pack their bags and spend their money on iFruits instead...

    Regards
       Anton

Kostya Vasilyev

unread,
Jul 27, 2010, 2:42:24 PM7/27/10
to android-d...@googlegroups.com
What's great is that it's available on all Android versions starting
with 1.5 (i.e. it's not a Froyo only feature).

-- Kostya

27.07.2010 21:55, Trevor Johns пишет:


--
Kostya Vasilev -- WiFi Manager + pretty widget -- http://kmansoft.wordpress.com

sblantipodi

unread,
Jul 27, 2010, 2:55:58 PM7/27/10
to Android Developers
excellent, is there some code sample on how to use this new apis?

On Jul 27, 8:42 pm, Kostya Vasilyev <kmans...@gmail.com> wrote:
> What's great is that it's available on all Android versions starting
> with 1.5 (i.e. it's not a Froyo only feature).
>
> -- Kostya
>
> 27.07.2010 21:55, Trevor Johns пишет:
>
>
>
> > Android fans,
> > For those of you who haven't already heard through our blog, we've
> > just launched the Android Market licensing service:
>
> >http://android-developers.blogspot.com/2010/07/licensing-service-for-...

Trevor Johns

unread,
Jul 27, 2010, 3:05:04 PM7/27/10
to android-d...@googlegroups.com
Yes. There's a code sample that's bundled as part of the library download.

You'll find it in $SDK_ROOT/market_licensing/sample.

-- 
Trevor Johns
Google Developer Programs, Android

Kaj Bjurman

unread,
Jul 27, 2010, 4:19:01 PM7/27/10
to Android Developers
I saw that entry, and have a question.

What will happen if the user doesn't have network connectivity? Many
users turn of data traffic when they travel to other countries, but
the probably still want to use the licensed applications.



On 27 Juli, 19:55, Trevor Johns <trevorjo...@google.com> wrote:
> Android fans,
> For those of you who haven't already heard through our blog, we've
> just launched the Android Market licensing service:
>
> http://android-developers.blogspot.com/2010/07/licensing-service-for-...

Trevor Johns

unread,
Jul 27, 2010, 4:22:34 PM7/27/10
to android-d...@googlegroups.com
Developers can chose whether to implement response caching or not.

Assuming caching is enabled, we require a network connection for the first license check, but then the user can go offline for a period of time before requiring another license check.

-- 
Trevor Johns
Google Developer Programs, Android

Kostya Vasilyev

unread,
Jul 27, 2010, 4:31:27 PM7/27/10
to android-d...@googlegroups.com

Is caching implemented in the library or in the Market app?

I am concerned about potential abuse, such as replacing cache contents.

--
Kostya Vasilyev -- http://kmansoft.wordpress.com

28.07.2010 0:23 пользователь "Trevor Johns" <trevo...@google.com> написал:



Developers can chose whether to implement response caching or not.

Assuming caching is enabled, we require a network connection for the first license check, but then the user can go offline for a period of time before requiring another license check.

-- 
Trevor Johns
Google Developer Programs, Android



On Tue, Jul 27, 2010 at 1:19 PM, Kaj Bjurman <kaj.b...@gmail.com> wrote:
>

> I saw that entry, ...

--
You received this message because you are subscribed to the Google

Groups "Android Developers" g...

Trevor Johns

unread,
Jul 27, 2010, 4:53:51 PM7/27/10
to android-d...@googlegroups.com
It's implemented in the library.

Cache contents are protected using a swappable Obfuscator class. We include a standard obfuscator implementation that encrypts cache data using AES-256 and an application-specific key, along with a copy of the device ID. This prevents tampering with cache data, or replaying it across applications/devices. Developers are also free to implement their own Obfuscator if they so choose. (The cache itself contains timestamp data, so there's no point in replaying the cache data for the same application on the same device.)

-- 
Trevor Johns
Google Developer Programs, Android
http://developer.android.com

Kostya Vasilyev

unread,
Jul 27, 2010, 5:01:40 PM7/27/10
to android-d...@googlegroups.com

OK, great. Thanks for the info.

--
Kostya Vasilyev -- http://kmansoft.wordpress.com

28.07.2010 0:55 пользователь "Trevor Johns" <trevo...@google.com> написал:



It's implemented in the library.

Cache contents are protected using a swappable Obfuscator class. We include a standard obfuscator implementation that encrypts cache data using AES-256 and an application-specific key, along with a copy of the device ID. This prevents tampering with cache data, or replaying it across applications/devices. Developers are also free to implement their own Obfuscator if they so choose. (The cache itself contains timestamp data, so there's no point in replaying the cache data for the same application on the same device.)



-- 
Trevor Johns
Google Developer Programs, Android
http://developer.android.com

On Tue, Jul 27, 2010 at 1:31 PM, Kostya Vasilyev <kman...@gmail.com> wrote:

>
> Is caching implemented in the library or in the Market app?
>

> I am concerned about potential a...

> You received this message because you are subscribed to the Google

> Groups "Android Developers" group.
> To post to this group, send email to android-developers@googl...






--

You received this message because you are subscribed to the Google

Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegro...

Sebastian Rodriguez

unread,
Jul 27, 2010, 4:24:39 PM7/27/10
to android-d...@googlegroups.com
I agree with Anton Persson. When will Google realize that opening the paid market to all the other countries is crucial for the market environment :(
We don't have access to them here in Singapore either.

But this is a major step already, let's hope for even better!

Seb

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-d...@googlegroups.com
To unsubscribe from this group, send email to
android-develop...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en



--
Sebastien Rodriguez

sblantipodi

unread,
Jul 27, 2010, 5:44:46 PM7/27/10
to Android Developers
I haven't understood if using this library external obfuscation
(proguard for example) is needed
for security reason or if we can avoid using external obfuscator, it's
quite a pain using proguard in netbeans plus android sdk.

On Jul 27, 10:24 pm, Sebastian Rodriguez <srodrig...@gmail.com> wrote:
> I agree with Anton Persson. When will Google realize that opening the paid
> market to all the other countries is crucial for the market environment :(
> We don't have access to them here in Singapore either.
>
> But this is a major step already, let's hope for even better!
>
> Seb
>
> > android-develop...@googlegroups.com<android-developers%2Bunsu...@googlegroups.com>

Stephen Lebed

unread,
Jul 28, 2010, 1:36:43 AM7/28/10
to Android Developers
I just wanted to say a big thank you!

Stephen


On Jul 27, 10:55 am, Trevor Johns <trevorjo...@google.com> wrote:
> Android fans,
> For those of you who haven't already heard through our blog, we've
> just launched the Android Market licensing service:
>
> http://android-developers.blogspot.com/2010/07/licensing-service-for-...

William Ferguson

unread,
Jul 28, 2010, 3:23:21 AM7/28/10
to Android Developers
ProGuard obfuscates your compiled code.
The Obfuscator referred to in the Licensing Server doc obfuscates
licensing info retrieved from AppMarket.

MrChaz

unread,
Jul 28, 2010, 4:33:33 AM7/28/10
to Android Developers
Great stuff,

I'll certainly be implementing this as soon as I can.

Thanks :)

On Jul 27, 6:55 pm, Trevor Johns <trevorjo...@google.com> wrote:
> Android fans,
> For those of you who haven't already heard through our blog, we've
> just launched the Android Market licensing service:
>
> http://android-developers.blogspot.com/2010/07/licensing-service-for-...

Mark Carter

unread,
Jul 28, 2010, 4:34:21 AM7/28/10
to Android Developers
I'm getting NOT_MARKET_MANAGED when using my own gmail account on my
N1 and using "Respond normally". The app is a paid app on the Android
Market. The only difference could be the app signature (I'm debugging
so not doing production signing). My gmail account was used to publish
the app and I have not purchased the app with it.

The other settings like "LICENSED" and "NOT LICENSED" work fine.

Another point (though a minor one) is that its very slow (when it
actually makes the connection). More than 5 secs on my wifi
connection. Is this normal?

On Jul 28, 9:23 am, William Ferguson <william.ferguson...@gmail.com>
wrote:
> > > > android-develop...@googlegroups.com<android-developers%2Bunsubs cr...@googlegroups.com>

Mark Carter

unread,
Jul 28, 2010, 4:40:36 AM7/28/10
to Android Developers
Seems that this call in AESObfuscator is taking a few seconds:

SecretKey tmp = factory.generateSecret(keySpec);

dra...@gmail.com

unread,
Jul 28, 2010, 5:11:20 AM7/28/10
to Android Developers
Really required in the Republic of Ireland too, Android devices are
getting quite popular here and the time has come to open the paid
market

On Jul 27, 9:24 pm, Sebastian Rodriguez <srodrig...@gmail.com> wrote:
> I agree with Anton Persson. When will Google realize that opening the paid
> market to all the other countries is crucial for the market environment :(
> We don't have access to them here in Singapore either.
>
> But this is a major step already, let's hope for even better!
>
> Seb
>
> > android-develop...@googlegroups.com<android-developers%2Bunsu...@googlegroups.com>

Mark Carter

unread,
Jul 28, 2010, 5:32:15 AM7/28/10
to Android Developers
Ok, just figured this out. The version code of the app I was testing was not one that was recognised by the Android Market. So, it is the combination of package name and version code that needs to have been published.

Its sort of explained in line 2317 of the docs :)

"Once an application is uploaded and becomes known to the licensing server, developers and testers can continue modify the application in their local development environment, without having to upload new versions. You only need to upload a new version if the local application increments the versionCode attribute in the manifest file."

Tomáš Hubálek

unread,
Jul 28, 2010, 5:44:57 AM7/28/10
to Android Developers
Please open Android Market to more countries. This is really cool
feature but currently useless for me.

And also I would be happy to use this for in-app purchase if possible.

Tom

On 28 čnc, 11:32, Mark Carter <mjc1...@googlemail.com> wrote:
> Ok, just figured this out. The version code of the app I was testing was not
> one that was recognised by the Android Market. So, it is the combination of
> package name and version code that needs to have been published.
>
> Its sort of explained in line 2317 of the docs :)
>
> "Once an application is uploaded and becomes known to the licensing server,
> developers and testers can continue modify the application in their local
> development environment, without having to upload new versions. You only
> need to upload a new version if the local application increments the
> versionCode attribute in the manifest file."
>

sblantipodi

unread,
Jul 28, 2010, 7:44:50 AM7/28/10
to Android Developers
Hi all...
When you bought my software you bought a license, this license can be
ported from android to other platform like Symbian, Winmob, bada,
JavaME, Blackberry...

Every customers who bought my license is registered on our database,
(email address and device id),
this let me generate a new activation code in case he want to switch
the license from android to xx platform.

Is there an easy way to update my database when a customer bought my
software with the email address and device id of the customer who
bought the software or legally activated it?

Thanks.

gcstang

unread,
Jul 28, 2010, 9:37:05 AM7/28/10
to Android Developers
Excellent!

Thank you

Joseph Earl

unread,
Jul 28, 2010, 12:01:37 PM7/28/10
to Android Developers
Not with this system as far as I'm aware - users will have to purchase
a new license when changing to a phone running a different OS.
You'll have to continue using your own system if you want this kind of
functionality.

Joseph Earl

unread,
Jul 28, 2010, 12:24:47 PM7/28/10
to Android Developers
Any chance you guys are working a solution for large applications that
will work across Android 1.5-2.1?
Currently the only secure way of doing it is by targeting Froyo only
(using 8 as minSdkVersion) - however it will be at least a year, more
likely 3, before this an acceptable solution to present to my clients
as they obviously want to target as large a market share as possible.

It seems to me this could be one of the big reasons that we don't see
many major games producers on the Android market.

The problems with the current system are:
1) Developer must provide web-server for the files and pay relevant
hosting and bandwidth charges. This is not workable for small
developers if the application is very large (100MBs) and popular as a
developer must shoulder all associated costs.
2) Users have to go through a second download process after installing
the app.
3) There is no security on the data stored on the SD card unless the
files are manually obfuscated or encrypted.

On Jul 27, 6:55 pm, Trevor Johns <trevorjo...@google.com> wrote:
> Android fans,
> For those of you who haven't already heard through our blog, we've
> just launched the Android Market licensing service:
>
> http://android-developers.blogspot.com/2010/07/licensing-service-for-...

sblantipodi

unread,
Jul 28, 2010, 12:49:50 PM7/28/10
to Android Developers
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Joseph thanks for your reply, using my own system means that I can't
sell my software on the market.
Am I right?

Joseph Earl

unread,
Jul 28, 2010, 1:33:32 PM7/28/10
to Android Developers
Not necessarily.
Rather than force users to go to your site to purchase a license code/
key, you'd need to allow users to purchase from Android Market as
usual, and then ask them to enter the Google Checkout code when the
app first launches.
Your own system can then deal with verifying the Checkout code.

For app stores for other platforms you'd use their transaction codes
as well.
Once you've verified a platform-specific code you can always generate
your own one valid for all platforms and give it to the user to use if
they install your app on other platforms (or you could just let them
enter codes from any app-store on a device on any platform - e.g. a
user could enter a Google Checkout code on their iPhone if they had
first purchased from Android Market).

However yours is a very complicated approach to licensing - since you
allow your application to be installed on multiple platforms you need
to have a max limit on how many devices the user can have it installed
concurrently and also provide facilities to activate and de-activate
the license on each device, otherwise all you are validating is the
checkout code/serial key.
Since a user can just post this online, for most developers validation
of a code/key alone is not enough since the same key could be used
across 10,000 devices.

You should be thinking along the lines of something like the approach
iTunes uses for protected music with the ability to register and un-
register devices from a single account.

Trevor Johns

unread,
Jul 28, 2010, 5:44:10 PM7/28/10
to android-d...@googlegroups.com
A third-party obfuscator is not strictly required, but it certainly adds an additional level of security. We even mention it in our developer docs:

The LVL provides a full Obfuscator implementation called AESObfuscator that uses AES encryption to obfuscate data. You can use AESObfuscator in your application without modification or you can adapt it to your needs. For more information, see the next section.

Alternatively, you can write a custom Obfuscator based on your own code or use an obfuscator program such as ProGuard for additional security.

-- 
Trevor Johns
Google Developer Programs, Android

Zsolt Vasvari

unread,
Jul 28, 2010, 7:48:23 PM7/28/10
to Android Developers
I just posted my toughts on the integration process in a separate
thread on this forum, as I didn't want to hijack this one. It might
be interesting read for some people:

http://groups.google.com/group/android-developers/browse_thread/thread/d54f65beff467b26#

sblantipodi

unread,
Jul 29, 2010, 12:16:25 PM7/29/10
to Android Developers
With the new LVL we can have only one build for Free trial and for
Full version,
it's really "find your adjectives" that we need to upload two
identical copyes of the same software with different package name,
don't you think?



On Jul 28, 6:01 pm, Joseph Earl <joseph.w.e...@gmail.com> wrote:

Pent

unread,
Jul 30, 2010, 11:24:40 AM7/30/10
to Android Developers
Building with eclipse it seems OK, but via Ant I get:

I/LicenseChecker( 2115): Binding to licensing service.
E/LicenseChecker( 2115): Could not bind to service.
W/ActivityManager( 85): Unable to start service Intent { act=av }:
not found

Any hints ?

Pent

sblantipodi

unread,
Jul 30, 2010, 1:10:18 PM7/30/10
to Android Developers

Xavier Ducrohet

unread,
Jul 30, 2010, 1:41:08 PM7/30/10
to android-d...@googlegroups.com
if you are using an emulator, make sure you use the "Google APIs"
add-on for API 8 (2.2) in revision 2.

Instructions for the setup:
http://developer.android.com/guide/publishing/licensing.html#acct-signin

> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To post to this group, send email to android-d...@googlegroups.com
> To unsubscribe from this group, send email to
> android-develop...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/android-developers?hl=en
>

--
Xavier Ducrohet
Android SDK Tech Lead
Google Inc.

Please do not send me questions directly. Thanks!

Indicator Veritatis

unread,
Jul 30, 2010, 1:50:04 PM7/30/10
to Android Developers
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Now don't get me wrong, I am sure Google did a better job of it than
ARM did, but I learned to hate licensing servers from the bitter
experience of using ARM's licensing server for their development
tools. We had continual problems with false negatives, i.e, the
program refused to run because it could not get validation from the
license server, but the server was running and the network was
working.

Also, I hesitate to impose a requirement of network connectivity on my
users whenever they want to run my apps. But for apps that have to
presume connectivity anyway, this is a much better solution than copy-
protection.

Dianne Hackborn

unread,
Jul 30, 2010, 3:01:35 PM7/30/10
to android-d...@googlegroups.com
On Wed, Jul 28, 2010 at 9:24 AM, Joseph Earl <joseph...@gmail.com> wrote:
Any chance you guys are working a solution for large applications that
will work across Android 1.5-2.1?

No those platforms are already exist; it would make no sense to modify them to support new features.
 
Currently the only secure way of doing it is by targeting Froyo only
(using 8 as minSdkVersion) - however it will be at least a year, more
likely 3, before this an acceptable solution to present to my clients
as they obviously want to target as large a market share as possible.

You don't need to use minSdkVersion; you should use targetSdkVersion to say you are Froyo compatible, and devices on 2.2 and up can install it on the SD card.  This doesn't make you incompatible with older platforms.  (In fact you don't need to do that -- you can set min/target SDK to whatever you want, and just need to compile against the 2.2 SDK so you can use the new manifest attribute.)
 
3) There is no security on the data stored on the SD card unless the
files are manually obfuscated or encrypted.

Putting an app on SD card with 2.2 doesn't prevent others from reading it.  In fact, as the announcement about the licensing server says, we are moving completely away from forward-locking (read-protecting) apps.

If apps feel the need to protect their data, they can encrypt it themselves.

--
Dianne Hackborn
Android framework engineer
hac...@android.com

Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails.  All such questions should be posted on public forums, where I and others can see and answer them.

Shane Isbell

unread,
Jul 30, 2010, 3:08:48 PM7/30/10
to android-d...@googlegroups.com
On Fri, Jul 30, 2010 at 12:01 PM, Dianne Hackborn <hac...@android.com> wrote:
On Wed, Jul 28, 2010 at 9:24 AM, Joseph Earl <joseph...@gmail.com> wrote:
Any chance you guys are working a solution for large applications that
will work across Android 1.5-2.1?

No those platforms are already exist; it would make no sense to modify them to support new features.
 
Currently the only secure way of doing it is by targeting Froyo only
(using 8 as minSdkVersion) - however it will be at least a year, more
likely 3, before this an acceptable solution to present to my clients
as they obviously want to target as large a market share as possible.

You don't need to use minSdkVersion; you should use targetSdkVersion to say you are Froyo compatible, and devices on 2.2 and up can install it on the SD card.  This doesn't make you incompatible with older platforms.  (In fact you don't need to do that -- you can set min/target SDK to whatever you want, and just need to compile against the 2.2 SDK so you can use the new manifest attribute.)
 
3) There is no security on the data stored on the SD card unless the
files are manually obfuscated or encrypted.

Putting an app on SD card with 2.2 doesn't prevent others from reading it.  In fact, as the announcement about the licensing server says, we are moving completely away from forward-locking (read-protecting) apps.

If apps feel the need to protect their data, they can encrypt it themselves.
 
Does this mean that apps installed on SD card are not going to be able to store private data (Context.MODE_PRIVATE) on device?

--
Shane Isbell (Founder of ZappMarket)
http://apps.facebook.com/zappmarket/

Mark Murphy

unread,
Jul 30, 2010, 3:13:58 PM7/30/10
to android-d...@googlegroups.com
On Fri, Jul 30, 2010 at 3:08 PM, Shane Isbell <shane....@gmail.com> wrote:
> Does this mean that apps installed on SD card are not going to be able to
> store private data (Context.MODE_PRIVATE) on device?

AFAIK, the app's local files (e.g., getFilesDir()) is still in the
on-board flash, not on the SD card, even if the app is installed to
the SD card.

--
Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy

_Android Programming Tutorials_ Version 2.9 Available!

Dianne Hackborn

unread,
Jul 30, 2010, 3:21:38 PM7/30/10
to android-d...@googlegroups.com
On Fri, Jul 30, 2010 at 12:08 PM, Shane Isbell <shane....@gmail.com> wrote:
Does this mean that apps installed on SD card are not going to be able to store private data (Context.MODE_PRIVATE) on device?

No that is a totally different thing.  All installed apps have a private data directory, non-forward-locked, forward-locked, on-sd, or whatever else.

Pent

unread,
Jul 31, 2010, 6:12:11 AM7/31/10
to Android Developers
It was the obfuscation messing up this line in LicenceChecker:

new Intent(ILicensingService.class.getName()),

I changed this to

new Intent(ILicensingService.Stub.getDescriptor()),

and added a correspinding static function in ILicensingService.

Since the docs recommend obfuscation, I think the googlers should
change
that line.

Havn't finished testing yet but this has at least fixed the 'can't
bind' problem.

Pent

skooter500

unread,
Jul 31, 2010, 1:56:18 PM7/31/10
to Android Developers
This sounds great, but is completely useless to me as Im in Ireland
and no paid apps available to my potential users, so I've gone ahead
and made my own user registration and payment system based around
PayPal. A complete waste of my time, but what can ya do?

From Reto Meier:

"Unfortunately I can't give you a time-frame for paid app buyer or
seller support for Ireland either. The team working on that side of
things have a lot on their plates so getting even a rough estimate for
any specific country is near impossible."

Interesting that Apple, Microsoft, Paypal, Nokia etc can manage this
but Google can't even give me date when it might be available. Not
very professional. :-(

Bryan

On Jul 27, 7:39 pm, Anton Persson <don.juan...@gmail.com> wrote:
> That, and the ability for folks to actually access the paid-for apps...
>
> Sweden, like probably many countries still, have no access to the paid
> apps... When will Google understand that this is critical for them to keep
> the momentum? If the status quo persists, people we give up, pack their bags
> and spend their money on iFruits instead...
>
>     Regards
>        Anton
>
> On Tue, Jul 27, 2010 at 8:25 PM, Maps.Huge.Info (Maps API Guru) <
>
> cor...@gmail.com> wrote:
> > Excellent! Now all we need is a subscription payment model and we can
> > actually make some money!
>
> > -John Coryat
>
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Android Developers" group.
> > To post to this group, send email to android-d...@googlegroups.com
> > To unsubscribe from this group, send email to
> > android-develop...@googlegroups.com<android-developers%2Bunsu...@googlegroups.com>

keyeslabs

unread,
Jul 31, 2010, 5:21:41 PM7/31/10
to Android Developers
Speaking as someone who has traveled this road before with my own
implementation of basically the same approach, obfuscation will be
critical. With AAL, it took about three days for someone to crack the
app. The process looks something like this: decompile the apk using
a freely available open source tool, find the code that invokes the
licensing check, skip it, recompile and repackage the apk.
Obsfucation will make this more difficult, but not all that tough
given the usage of intents for communication between LVL and the
market tool.

Don't get me wrong, I think that LVL will offer a much needed road
bump for pirates -- stealing apps will actually require a crack of
each app. This is a viable approach to license verification and
that's why I took the same route with AAL months ago. It certainly
seems like google could have gone further though.

The coverage of this has been very extensive in the press, and I would
guess the coverage of the first released crack within a week or two
will also make a fairly big splash, which won't look great for the
platform.

All told though, I think LVL is a positive step for the platform.
Speaking as someone that was seeing 90%+ piracy rates before
implementing something very similar to LVL in my own apps, I'm happy
to see google addressing the problem.

Dave Keyes




On Jul 27, 5:44 pm, sblantipodi <perini.dav...@dpsoftware.org> wrote:
> I haven't understood if using this library external obfuscation
> (proguard for example) is needed
> for security reason or if we can avoid using external obfuscator, it's
> quite a pain using proguard in netbeans plus android sdk.
>
> On Jul 27, 10:24 pm, Sebastian Rodriguez <srodrig...@gmail.com> wrote:
>
>
>
> > I agree with Anton Persson. When will Google realize that opening the paid
> > market to all the other countries is crucial for the market environment :(
> > We don't have access to them here in Singapore either.
>
> > But this is a major step already, let's hope for even better!
>
> > Seb
>
> > On 28 July 2010 04:19, Kaj Bjurman <kaj.bjur...@gmail.com> wrote:
>
> > > I saw that entry, and have a question.
>
> > > What will happen if the user doesn't have network connectivity? Many
> > > users turn of data traffic when they travel to other countries, but
> > > the probably still want to use the licensed applications.
>
> > > On 27 Juli, 19:55, Trevor Johns <trevorjo...@google.com> wrote:
> > > > Android fans,
> > > > For those of you who haven't already heard through our blog, we've
> > > > just launched the Android Market licensing service:
>
> > > >http://android-developers.blogspot.com/2010/07/licensing-service-for-...
>
> > > > From the above blog post:
>
> > > > "This simple and free service provides a secure mechanism to manage
> > > > access to all Android Market paid applications targeting Android 1.5
> > > > or higher. At run time, with the inclusion of a set of libraries
> > > > provided by us, your application can query the Android Market
> > > > licensing server to determine the license status of your users. It
> > > > returns information on whether your users are authorized to use the
> > > > app based on stored sales records."
>
> > > > Developer documentation is available here:
>
> > > >http://developer.android.com/guide/publishing/licensing.html
>
> > > > Happy coding!
>
> > > > --
> > > > Trevor Johns
> > > > Google Developer Programs, Androidhttp://developer.android.com
>
> > > --
> > > You received this message because you are subscribed to the Google
> > > Groups "Android Developers" group.
> > > To post to this group, send email to android-d...@googlegroups.com
> > > To unsubscribe from this group, send email to
> > > android-develop...@googlegroups.com<android-developers%2Bunsubs cr...@googlegroups.com>
> > > For more options, visit this group at
> > >http://groups.google.com/group/android-developers?hl=en
>
> > --
> > Sebastien Rodriguez

sblantipodi

unread,
Aug 1, 2010, 4:06:29 AM8/1/10
to Android Developers
I will bump that thread
http://groups.google.com/group/android-developers/browse_thread/thread/97e2ba40f258f21b
until I will get a reply.

Thanks :)

Quintin Willison

unread,
Jul 30, 2010, 8:18:03 AM7/30/10
to Android Developers
Just noticed this. Excellent news! Thanks.
Now to find some time to explore it... :)

James W

unread,
Aug 2, 2010, 4:00:20 AM8/2/10
to Android Developers
Yes absolutely.

Not really the ideal place to vent, but the delay in rolling out to
other countries is beyond ridiculous and incredibly frustrating.

It has got to be self defeating also.

I moved from England to Hong Kong, so now I cannot buy apps, I cannot
sell my apps, because HK is not supported.

What the hell are you playing at, Google? Don't you want my money?
Don't you want 30% of my take?

Do you really want me to leave in frustration, and develop for the
iPhone?

James
> > > connection. Is this normal?- Hide quoted text -
>
> - Show quoted text -

Mark Carter

unread,
Aug 2, 2010, 4:10:31 AM8/2/10
to android-developers
AFAIK, whether you can sell apps or not is dictated by the country of your Google Developer account.

So if your Google Developer account (or is that Google account?) is registered in the UK, you can move to HK and still sell paid apps.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-d...@googlegroups.com
To unsubscribe from this group, send email to
android-develop...@googlegroups.com

Zsolt Vasvari

unread,
Aug 2, 2010, 7:45:20 PM8/2/10
to Android Developers
I can confirm that. If you are a resident of country where you can
sell your apps from, meaning you have an address and a bank account,
you can still sell apps. It's not like Google is checking your IP
address when you are uploading your app.

On Aug 2, 4:10 pm, Mark Carter <mjc1...@googlemail.com> wrote:
> AFAIK, whether you can sell apps or not is dictated by the country of your
> Google Developer account.
>
> So if your Google Developer account (or is that Google account?) is
> registered in the UK, you can move to HK and still sell paid apps.
>
> > android-develop...@googlegroups.com<android-developers%2Bunsubs­cr...@googlegroups.com>
> > For more options, visit this group at
> >http://groups.google.com/group/android-developers?hl=en- Hide quoted text -

James W

unread,
Aug 3, 2010, 5:17:44 AM8/3/10
to Android Developers
Thanks, guys. Of course, my UK bank accounts are currently pointing to
my HK address, but I guess I could change them back, or open another
UK based account.

Anyway, I will let my vent stand on behalf of everyone else in the
world who doesn't have that option!

Hate to say it, but if Apple can do it, why can't Google...?
> > >http://groups.google.com/group/android-developers?hl=en-Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -

Tomáš Hubálek

unread,
Aug 3, 2010, 5:32:09 AM8/3/10
to android-d...@googlegroups.com
On Tue, Aug 3, 2010 at 11:17 AM, James W <jpbwe...@gmail.com> wrote:

Hate to say it, but if Apple can do it, why can't Google...?


Google don't want?

Tom 

Mark Carter

unread,
Aug 3, 2010, 5:33:59 AM8/3/10
to Android Developers
On a slightly different note - in case anyone was wondering...if a
user has paid for an app and then inserts a sim card from a non-paid
app country (so that he can no longer see paid apps on the Market),
the LVL still correctly returns that the user is licensed. I was
expecting this, but its good to know for sure...

Can anyone else double-check this?

I know quite a few users who temporarily insert sim cards to pay for
paid apps, and then immediately afterwards revert back to their non-
paid app sim cards.

andreas...@googlemail.com

unread,
Aug 3, 2010, 6:37:09 AM8/3/10
to Android Developers
On Jul 31, 11:21 pm, keyeslabs <keyes...@gmail.com> wrote:
> ... someone to crack the
> app.  The process looks something like this:  decompile the apk using
> a freely available open source tool, find the code that invokes the
> licensing check, skip it, recompile and repackage the apk.

Isn't there is a much simpler way to circumvent the whole thing due to
a security leak in the LVL process? (Please tell me I'm wrong!):

1) create a new google account, e. g. my.w...@googlemail.com
2) switch your Android phone to this account
3) Buy app, copy apk, request refund
4) Upload apk to warez server
5) Sell google account and password to interested downloaders. (e. g.
at a 50% discount compared to the original market price).

The reason for this is that the license check is google-account-based,
not device-based. Any device being linked to the google account the
app has been purchased with will run the app. The licensing mechansim
will change nothing in this behaviour.

Andreas

Mark Carter

unread,
Aug 3, 2010, 6:43:25 AM8/3/10
to android-developers
As soon as you request a refund then the license server will return NOT_LICENSED for that Google account.

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-d...@googlegroups.com
To unsubscribe from this group, send email to
android-develop...@googlegroups.com

Trevor Johns

unread,
Aug 3, 2010, 10:25:57 PM8/3/10
to android-d...@googlegroups.com
And even if you skip the "request refund" step, we'll see a large number of license checks for a single account in our logs.

So, not only can we disable that account, but we'll also know who was responsible. :P

-- 
Trevor Johns
Google Developer Programs, Android

Mike Hearn

unread,
Aug 4, 2010, 11:37:17 AM8/4/10
to Android Developers
On Jul 31, 11:21 pm, keyeslabs <keyes...@gmail.com> wrote:
> Speaking as someone who has traveled this road before with my own
> implementation of basically the same approach, obfuscation will be
> critical.  With AAL, it took about three days for someone to crack the
> app.

There are various ways to make this harder. I suggest reading Nate
Lawsons blog entries on the topic for an introduction:

http://rdist.root.org/2007/03/26/building-a-mesh-versus-a-chain/
http://rdist.root.org/2007/04/09/mesh-design-pattern-hash-and-decrypt/
http://rdist.root.org/2007/04/24/anti-debugging-techniques-of-the-past/
http://rdist.root.org/2007/04/19/anti-debugger-techniques-are-overrated/
http://rdist.root.org/2007/08/21/mesh-design-pattern-error-correction/
http://rdist.root.org/2007/10/05/c64-screen-memory-and-anti-debugging/
http://rdist.root.org/2008/04/11/designing-and-attacking-drm-talk-slides/

Android is a slightly different environment than traditional operating
systems in which obfuscation and anti-debugging techniques are highly
evolved, but then again, the monetary value of the apps are lower, so
you don't necessarily have to be as good as some of the really
professional copy protection schemes.

On the other hand, naive straightforward usage of the LVL won't prove
much of a barrier to attackers who want to pirate your app either. The
suggestion to use ProGuard is a good first step, but ProGuard is
ultimately just an optimizing compiler, not a professional obfuscator.

If you wish to go beyond ProGuard, you might want to check out
commercial obfuscators like Allatori. I've used it - it was easy to
set up and produced pretty reasonable output.

However, pure Java level obfuscators will never prove a big challenge
to a skilled adversary - Java bytecode is just too limited to make
obfuscation easy.

A common technique in the PC world is to set up an interpreted
environment that runs encrypted machine code, and then do part of your
protection logic in this environment. It works well for a variety of
reasons.

If time, energy etc wasn't an issue and I decided to build a better
general purpose LVL/copy protect framework, I'd probably reimplement
the LVL checking code in C++, compile it to MIPS and then ship a
modified MIPS interpreter with the app that runs the protection logic
there. Other than confusing attackers by breaking decompilers/
disassemblers, the interpreter can use in-loop decryption so only the
currently executing opcode is in the clear, in memory. Ideally the key
would be a function of the licensing server responses, ie, not
available in the source code, but rather derived from the expected
environment.

There are lots more techniques that can be used with such a design to
make cracking the app harder. Nates blog entries discuss some, like
turbo codes.

Sufficiently strong obfuscation on the apps will push attackers
towards scamming the licensing servers rather than cracking each app
individually, eg by making them think you're authenticating from the
original device. However that's Googles problem to solve, not yours.

mp6800

unread,
Aug 4, 2010, 8:16:02 PM8/4/10
to Android Developers
Will there eventually be a way to obfuscate automatically during .apk
export in eclipse? The ant method looks relatively easy to setup, but
I'd like to know if this is coming. (Especially since it's /strongly
recommended/ in the docs)

gb105

unread,
Aug 6, 2010, 2:29:36 PM8/6/10
to Android Developers
As stated earlier obfuscating the app doesn't help much. It's easy to
find the license check in the byte code and change it, so the app is
not really protected. There is still much work left for the developer
to find a solution to prevent the app from working if it is not signed
with the original developer's key. The licensing solution does not
prevent rip-offs, I'm a bit disappointed.

mp6800

unread,
Aug 8, 2010, 5:20:01 PM8/8/10
to Android Developers
Perhaps, but you didn't answer my question. Anybody else?

Also, in the included sample app, the license check is triggered
during onCreate. This means that when I click "Buy App", go to the
market, then immediately hit the back button, it goes back to the app
and doesn't check again (at least not until the app is killed).
Wouldn't it be better to trigger the license check during onResume?
Or is it up to the dev to handle things when coming to the forefront
again?
Message has been deleted

Feelsocial

unread,
Aug 21, 2010, 4:15:49 AM8/21/10
to Android Developers
Hi all,

I am facing the problem in licensing of my old published paid apps.
Basically i have paid app which is published by version code 1. I
implemented the license code on it, it working fine to me. Licensing
server giving the response or allow that you can use it. But once i
changed version code from 1 to 2 in manifest file, then licensing
service not allow to use the app.Server giving the response dont
allow. I not understanderd, y it has relation with version code? i
can't publish the update version.???

Moreover, i am already login to my publisher account, i have setting
of LICENSED in edit profile section.

Is any body can help me?...... Helppppp

On Jul 28, 1:19 am, Kaj Bjurman <kaj.bjur...@gmail.com> wrote:
> I saw that entry, and have a question.
>
> What will happen if the user doesn't have network connectivity? Many
> users turn of data traffic when they travel to other countries, but
> the probably still want to use the licensed applications.
>
> On 27 Juli, 19:55, Trevor Johns <trevorjo...@google.com> wrote:
>
> > Android fans,
> > For those of you who haven't already heard through our blog, we've
> > just launched the Android Market licensing service:
>
> >http://android-developers.blogspot.com/2010/07/licensing-service-for-...
>
> > From the above blog post:
>
> > "This simple and free service provides a secure mechanism to manage
> > access to all Android Market paid applications targeting Android 1.5
> > or higher. At run time, with the inclusion of a set of libraries
> > provided by us, your application can query the Android Market
> > licensing server to determine the license status of your users. It
> > returns information on whether your users are authorized to use the
> > app based on stored sales records."
>
> > Developer documentation is available here:
>
> >http://developer.android.com/guide/publishing/licensing.html
>
> > Happy coding!
>

String

unread,
Aug 21, 2010, 5:29:01 AM8/21/10
to Android