Android Developer Publishes LVL Workaround; Google Responds
In response to the Android community's concerns over Android application piracy, Google recently launched the Android Market License Verification Library (LVL) which is responsible for handling all of the licensing-related communication with the Android Market client and the licensing service. This tool queries Android Market at runtime, to obtain the licensing status for the current user, and then allows or disallows further use as appropriate. This means developers can apply a licensing policy on an application-by-application basis. Developers who wish to use the LVL must compile the library into their own applications.
However, earlier this week Android developer Justin Case published a workaround for breaking the Android Market LVL. The workaround included disassembling the Java bytecode of a Java application, leaving it more vulnerable to piracy.
Tim Bray has reacted to this post by pointing out that LVL is still in its early stages, and is currently more of a step towards a better protection service, than a complete security service in itself. Also, the sample implementation shipped with the first release, was intended as a “how to” for showing developers how to understand and modify the infrastructure. Thus, the sample implementation was not security-focused, and using the sample in the LVL will make applications easier to attack than if you wrote your own custom authentication check.
However, Tim Bray is pragmatic that even when run with a custom authentication check, there is a limit to how secure you can make your Android apps: “100% piracy protection is never possible in any system that runs third-party code, but the licensing server, when correctly implemented and customized for your app, is designed to dramatically increase the cost and difficulty of pirating.”
Justin Case has written a follow-up to Tim Bray's blog post, in which he calls the LVL a “great tool” and congratulates Google on their decision to open source the project. He then defends his decision to post the workaround, claiming it was intended to help Android app developers defend themselves, by pointing out the additional work that needs to be done to make LVL more secure. He acknowledges that he does use the sample provided by LVL in his workaround, but that if it isn't made clear, some developers will take Google's sample and create their custom library and implementation from it, potentially leaving their app open to piracy attacks. The sample code is freely available, leaving “ a clear picture of what the code was doing” for software pirates to leverage. Even worse, is the potential for developers to use this vulnerable implementation across multiple applications.
“All in all, the developers at Google have done a fantastic job with the Android Licensing Service. I am successfully using it in a commercial application and plan to continue using an implementation of it,” he concludes.