Android anti-piracy framework cracked, Google blames app devs

Android’s recently released anti-piracy framework has been cracked, allowing hackers to potentially use it to pirate applications from the Android Market, and Google is blaming developers for using it incorrectly.

The License Verification Library (LVL) was launched by Google towards the end of July aimed at protecting developers against unauthorised use of their applications. But less than a month later a gaping hole has been found that screams for a skull and crossbones flag to be planted in.

Android application developer Justin Case – birth name? – demonstrated how to break the library in a guide on Android Police, which also featured a video demonstration which we have included below. Case was keen to point out that his guide was “not written to teach people how to pirate”, that he is “very much against piracy”, and that he wants you to “support your developers, and pay for your apps.” Considering he is an app developer, that’s not too surprising.

Case showed how the LVL protections could be circumvented by using a patch that would trick the device into thinking validation checks have been passed, which ultimately allows pirating of Android applications without requiring users to root their phones.

The news has caused quite a stir among worried developers, prompting an official response from Google. Tim Bray, Developer Advocate at Google, defended the LVL on the Android Developer blog, saying that “the licensing service, while very young, is a significant step forward in terms of protection over the plain copy-protection facility that used to be the norm.”

Bray said that many developers are using the sample “as-is”, which he said makes their apps easier to attack. He then went on to blame the vulnerabilities on these app developers who “have neglected to obfuscate their code”, which he said Google strongly recommends all app developers to do. However, Case refuted this claim, saying that “automatic obfuscation does not do much to hinder a would-be cracker.” 

He said that the “Android Market is already a responsive, low-friction, safe way for developers to get their products to users. The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction.”

However, despite the vulnerability Case said that Google’s LVL is still “the best option for copy protection,” but qualified this by saying “we really need to see a better solution, such as checking the apk for alterations or ways to confirm an application was installed through official means.”