Securing Android LVL Applications
[This post is by Trevor Johns, who's a Developer Programs Engineer working on Android. — Tim Bray]
The Android Market licensing service is a powerful tool for protecting your applications against unauthorized use. The License Verification Library (LVL) is a key component. A determined attacker who’s willing to disassemble and reassemble code can eventually hack around the service; but application developers can make the hackers’ task immensely more difficult, to the point where it may simply not be worth their time.
Out of the box, the LVL protects against casual piracy; users who try to copy APKs directly from one device to another without purchasing the application. Here are some techniques to make things hard, even for technically skilled attackers who attempt to decompile your application and remove or disable LVL-related code.
-
You can obfuscate your application to make it difficult to reverse-engineer.
-
You can modify the licensing library itself to make it difficult to apply common cracking techniques.
-
You can make your application tamper-resistant.
-
You can offload license validation to a trusted server.
This can and should be done differently by each app developer. A guiding principle in the design of the licensing service is that attackers must be forced to crack each application individually, and unfortunately no client-side code can be made 100% secure. As a result, we depend on developers introducing additional complexity and heterogeneity into the license check code
