On Mon, Aug 9, 2010 at 4:22 AM, String <[email protected]>wrote:
> So to return to the OP's question, it sounds as though defeating LVL > by spoofing the ANDROID_ID would be possible on rooted devices? > It depends. Ultimately the protocol requires that the app get a response from the market server that it can confirm is signed by market itself, and having root gives you no way to spoof that. What having root does allow you to do is play lots of games with what the app stores for remembering whether it is licensed, since root lets you modify and touch everything going in the local device which includes everything your app has stored. So pirates could all run devices with the same android id, and go through the apps and plug in some known data that one person had gotten back from market that is signed to confirm licensing and says it is for that android id. I think this will end up a very problematic way to pirate though -- having a bunch of people with the same android id is probably not going to be that wonderful, and all apps need to do is have their license vary in some other way to make this a lot less valuable. For example, have it expire after weeks of time (allowing the user to run it for a while after it has expired until it has a chance to get a new license), mix in some other device information that doesn't need to be immutable (just requires that you go through the same process of getting a new license), etc. One of the important things is that the easiest point of failure now -- the data the app stores on device to remember whether it is allowed to run -- is controlled by the app. Apps can be as complex and strict as they want about this, and the more variety there is in what apps do here the less attractive it as a target. And also the biggest thing is that all of these attacks *do* require having root, which is a small number of users. This is a huge improvement from forward locking where all you needed was one person to get root and thus access the app, after which all users could run it. This is always going to be a game of "how good is good enough." You can't absolutely prevent people from pirating. It is now a lot harder, though, and third party developers have a lot more control. I would suggest starting out fairly simple/conservative in what you do (since that by itself will be a huge improvement from forward locking); if pirating starts increasing, you can start taking more complicated measures in your app for ensuring you are running licensed and/or obscure the license checks, depending on how attacks are happening. -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
