Android developer Justin Case has published a workaround for breaking the Android Market LVL, causing Tim Bray to point out that the workaround uses a very basic LVL sample.
In response to the Android community’s concerns over Android
application piracy, Google recently launched the Android Market
License Verification Library (LVL) which is
responsible for handling all of the licensing-related communication
with the Android Market client and the licensing service. This tool
queries Android Market at runtime, to obtain the licensing status
for the current user, and then allows or disallows further use as
appropriate. This means developers can apply a licensing policy on
an application-by-application basis. Developers who wish to use the
LVL must compile the library into their own applications.
However, earlier this week Android developer Justin Case
published a workaround for breaking the Android Market LVL. The
workaround included disassembling the Java bytecode of a Java
application, leaving it more vulnerable to piracy.
Tim Bray has reacted to this post by pointing out that LVL
is still in its early stages, and is currently more of a step
towards a better protection service, than a complete security
service in itself. Also, the sample implementation shipped with the
first release, was intended as a “how to” for showing developers
how to understand and modify the infrastructure. Thus, the sample
implementation was not security-focused, and using the sample in
the LVL will make applications easier to attack than if you wrote
your own custom authentication check.
However, Tim Bray is pragmatic that even when run with a custom
authentication check, there is a limit to how secure you can make
your Android apps: “100% piracy protection is never possible in any
system that runs third-party code, but the licensing server, when
correctly implemented and customized for your app, is designed to
dramatically increase the cost and difficulty of pirating.”
Justin Case has written a follow-up to Tim Bray’s blog post, in which he
calls the LVL a “great tool” and congratulates Google on their
decision to open source the project. He then defends his decision
to post the workaround, claiming it was intended to help Android
app developers defend themselves, by pointing out the additional
work that needs to be done to make LVL more secure. He acknowledges
that he does use the sample provided by LVL in his workaround, but
that if it isn’t made clear, some developers will take Google’s
sample and create their custom library and implementation from it,
potentially leaving their app open to piracy attacks. The sample
code is freely available, leaving “ a clear picture of what the
code was doing” for software pirates to leverage. Even worse, is
the potential for developers to use this vulnerable implementation
across multiple applications.
“All in all, the developers at Google have done a fantastic job
with the Android Licensing Service. I am successfully using it in a
commercial application and plan to continue using an implementation
of it,” he concludes.