Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,732,778 Members 52,096 Now Online
XDA Developers Android and Mobile Development Forum

[GUIDE][IDEAS] Protecting your app from the main piracy circumvention methods

Tip us?
 
Quinny899
Old
#1  
Quinny899's Avatar
Recognized Contributor - OP
Thanks Meter 3829
Posts: 6,218
Join Date: Jan 2011
Location: Bolton le Sands, Near Lancaster, UK

 
DONATE TO ME
Info 2 [GUIDE][IDEAS] Protecting your app from the main piracy circumvention methods

There's a few easy methods anyone could use to crack the protection of your app that you worked very hard on, and in the same way there's methods to stop this from happening as well

The first one, the big one, there's the app "Lucky Patcher". What this app does is patches the dalvik files to tell the app that it's activated, even if the Play Store disagrees. There's two ways of protecting from this:

Implement a simple piece of code to check if Lucky Patcher is installed, and if it is, force the user to uninstall it (But by then it might be too late!)
Here's a sample piece of code that stops the user from opening the app if Lucky Patcher is installed and prompts them to uninstall it
 
Code:
public void checkLP(){
    android.content.pm.PackageManager mPm = getPackageManager();
    try {
        PackageInfo info = mPm.getPackageInfo("com.chelpus.lackypatch", 0);
        if(info != null){
            AlertDialog.Builder ad3 = new AlertDialog.Builder(this);

            ad3.setCancelable(false);
            ad3.setTitle("Lucky Patcher");
            ad3.setMessage("I have detected the presense of the app 'Lucky Patcher', which could be used maliciously within this app. You need to uninstall it to continue");
            ad3.setPositiveButton("OK", new DialogInterface.OnClickListener() {
                
                @override
                public void onClick(DialogInterface dialog, int which) {
                    // TODO Auto-generated method stub
                    startActivity(new Intent(MainActivity.this, LpUninstallActivity.class));
                    finish();
            }});
            
            AlertDialog alertDialog3 = ad3.create();
            alertDialog3.show();
        }
    } catch (NameNotFoundException e) {
        // TODO Auto-generated catch block
        return;
    }
    
}


Once you've implemented this code, call checkLP(); in your code where you need it, and add a UninstallLpActivity.class to respond to the user pressing OK, which uninstalls it (automatically if you have root, manually if you don't) and then returns the user to the main activity, at which point it checks again

However, this will not always work. What happens if the user patches it and then uninstalls Lucky Patcher? What then? What about if they patched the apk itself?

That's where method 2 comes in.

For method 2, the alternative is to download an unpatched version of your app from the internet and install it on top, either automatically if you have root (Which is recommended where possible) or manually, which could lead to you hitting issues with signatures

I don't have the code for this one, but the best way is with RootTools to call a download normally and then use "pm install -r" to overwrite it. Note that Lucky Patcher also has a method that adds ODEX files to /data/app/ which you will want to remove also



But I don't have a paid version, only IAPs and people are using Freedom!
Freedom is a complex app that circumvents the Play Store and makes the app think it's been bought when it hasn't. There's two very similar and simple ways to stop Freedom working though, both of which need root (which is fine, because Freedom needs root anyway)

1.) Just stop freedom, kill its service and hopefully stop it from working
Again, I recommend RootTools to make this easier.
When your activity with IAPs starts, call a command that runs the following:
Code:
pkill cc.cz.madkite.freedom
This will stop the freedom app from running and hopefully stop the user from using it to crack purchases

2.) The better, more permanent method, forcibly uninstall freedom
Again, I recommend RootTools to make this easier.
In your class with IAPs, add the following code:
 
Code:
public void checkFreedom(){
    android.content.pm.PackageManager mPm = getPackageManager();
    try {
        PackageInfo info = mPm.getPackageInfo("cc.cz.madkite.freedom", 0);
        if(info != null){
            AlertDialog.Builder ad3 = new AlertDialog.Builder(this);

            ad3.setCancelable(false);
            ad3.setTitle("Freedom");
            ad3.setMessage("I have detected the presense of the app 'Freedom', which could be used maliciously within this section of the app. You need to uninstall it to continue");
            ad3.setPositiveButton("OK", new DialogInterface.OnClickListener() {
                
                @override
                public void onClick(DialogInterface dialog, int which) {
                    // TODO Auto-generated method stub
                    startActivity(new Intent(IapActivity.this, FreedomUninstallActivity.class));
                    finish();
            }});
            
            AlertDialog alertDialog3 = ad3.create();
            alertDialog3.show();
        }
    } catch (NameNotFoundException e) {
        // TODO Auto-generated catch block
        return;
    }
    
}
And then call it where you want to with checkFreedom();
Similar to the Lucky Patcher one, you need a second class that uninstalls it. Mine is as simple as follows:

 
Code:
import java.io.IOException;
import java.util.concurrent.TimeoutException;

import android.app.Activity;
import android.app.ProgressDialog;
import android.content.Intent;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuInflater;
import android.view.MenuItem;
import android.view.View;
import android.widget.CheckBox;
import android.widget.Toast;

import com.stericson.RootTools.*;
import com.stericson.RootTools.exceptions.RootDeniedException;
import com.stericson.RootTools.execution.CommandCapture;

public class FreedomUninstallActivity extends Activity{
CheckBox RootCheckBox;
CheckBox BusyboxCheckBox; 


    @override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        ProgressDialog dialog =
        ProgressDialog.show(FreedomUninstallActivity.this, "", "Uninstalling Freedom...", true);
        dialog.setCancelable(false);
        dialog.show();
        dialog.setMessage("Uninstalling Freedom..."); 
        CommandCapture command = new CommandCapture(0, "pm uninstall cc.cz.madkite.freedom");
        

        try {
            RootTools.getShell(true).add(command).waitForFinish();
        } catch (InterruptedException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (TimeoutException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (RootDeniedException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        
        
        startActivity(new Intent(this, IapActivity.class));
        finish();
        
        
    }
    

}
This uses root to uninstall it, which is easiest because the user cannot press cancel, then loops back around to check again to make sure it worked

Finally, and most importantly, obfuscate.
Even the biggest pirates I've seen haven't ever tried to crack apps that use other methods and are obfuscated. Therefore, best practice where possible is to obfuscate, or even just run it from a remote server on a secure connection. ProGuard instructions are available here

Help! They still get past it
Use the good old methods of reporting then, try and keep the amount of people who are able to download it illegitimately to a minimum

Further ideas:
Improve the reinstall because of Lucky Patcher by just re-building the dex file - Looking into it

Further reading:
Android Developers site on best practices for in app billing

 
Devices:
Nexus 5
Galaxy Nexus
Nexus 7 FHD
Archos 80 G9
LG GT540
The Following 17 Users Say Thank You to Quinny899 For This Useful Post: [ Click to Expand ]
 
Quinny899
Old
(Last edited by Quinny899; 22nd May 2013 at 06:27 PM.)
#2  
Quinny899's Avatar
Recognized Contributor - OP
Thanks Meter 3829
Posts: 6,218
Join Date: Jan 2011
Location: Bolton le Sands, Near Lancaster, UK

 
DONATE TO ME
Quote:
Originally Posted by e3d View Post

I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?



if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?






If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.



You ever heard of ethics? I've never seen much worse ethics for programming.


you do not have to care about other apps on a system.

Isn't Freedom what linux is about.?



*for all devs who want to use OP's "solution".

---------- Post added at 06:36 PM ---------- Previous post was at 06:28 PM ----------



Same here.
If you have root, use a system wide thing, don't support an app that incorporates piracy methods

And "why are you on a forum which allows freedom"
Read the goddamn rules, we don't allow that kind of stuff, it's warez and illegal

Also, I don't think you understand what I'm doing by uninstalling it here. I'm protecting my rights, not 'uninstalling a competitor' as you compare it to.

Meanwhile, I'm about to have a mod clean out this thread, including this post

 
Devices:
Nexus 5
Galaxy Nexus
Nexus 7 FHD
Archos 80 G9
LG GT540
The Following 6 Users Say Thank You to Quinny899 For This Useful Post: [ Click to Expand ]
 
superkoal
Old
#3  
Senior Member
Thanks Meter 678
Posts: 911
Join Date: Sep 2011
Location: Vienna
Quote:
Originally Posted by e3d View Post
I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?
if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?

If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.

You ever heard of ethics? I've never seen much worse ethics for programming.

you do not have to care about other apps on a system.

Isn't Freedom what linux is about?
How the hell did you guys get into developers forum?
Removing ads is the same way illegal than pirating an entire app.

Quote:
Originally Posted by awaaas View Post
A simple apk can't install/replace system app? Google "Google Play Store Installer by Chelpus" and you'll be suprised...

And about the people awareness, what about "third-world" countries? Credit card is usually not available...
They want to buy, but they can't pay you. Now Google Indonesia is starting to offer payment by phone credit (only one carrier for now), and some of my friends is starting to buy games and apps if they like it (some apps is "tried" first though)
I specifically set prices very low in countries with less developed economy. I would even offer my app for free in some countries if google would let me.
"Good Night, Android!" Save your battery power for the day - don't lose it in the night! xda Thread
"Vibrate Pattern" Create custom vibrate patterns for phone & sms, contacts, pocket/desk recognition xda Thread
"Don't grill me!" - Disable wifi, data & bluetooth during phone calls xda Thread
Am I Silent? - Check your ringmode in your pocket + shake for silent mode xda-Thread
The Following 2 Users Say Thank You to superkoal For This Useful Post: [ Click to Expand ]
 
SifJar
Old
#4  
SifJar's Avatar
Senior Member
Thanks Meter 243
Posts: 586
Join Date: Jul 2009
I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://forum.xda-developers.com/show...90&postcount=9

Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).

*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.
The Following 2 Users Say Thank You to SifJar For This Useful Post: [ Click to Expand ]
 
Quinny899
Old
#5  
Quinny899's Avatar
Recognized Contributor - OP
Thanks Meter 3829
Posts: 6,218
Join Date: Jan 2011
Location: Bolton le Sands, Near Lancaster, UK

 
DONATE TO ME
Quote:
Originally Posted by SifJar View Post
I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://forum.xda-developers.com/show...90&postcount=9

Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).

*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.
There's ways of checking if it uses the debug key, which I believe Lucky Patcher signs with, see here:
http://stackoverflow.com/questions/5...-app-signature

 
Devices:
Nexus 5
Galaxy Nexus
Nexus 7 FHD
Archos 80 G9
LG GT540
The Following 3 Users Say Thank You to Quinny899 For This Useful Post: [ Click to Expand ]
 
m11kkaa
Old
#6  
m11kkaa's Avatar
Recognized Contributor
Thanks Meter 1339
Posts: 896
Join Date: Jan 2011

 
DONATE TO ME
If your app is a game and it's completely native(unity3d, cocos2dx,...) you could do the following:
1) do license checks from within native code(.so file)
2) check signature of apk file from within native code and kill app if it's not valid
3) sign your native libraries and do self checks before execution to prevent people from editing asm code.
Follow me on twitter: https://twitter.com/m11kkaa
The Following 2 Users Say Thank You to m11kkaa For This Useful Post: [ Click to Expand ]
 
LiquidSolstice
Old
#7  
LiquidSolstice's Avatar
Recognized Developer
Thanks Meter 4363
Posts: 4,563
Join Date: Jan 2008
Wow, some of you guys...

God forbid a developer expect that you compensate him/her for hard work on an application.

If it's worth it for you to go through the trouble of getting outside of the Play Store, cracking it, and sideloading it, clearly it's worth it to you enough to actually pay for it.

As usual with so many Android users, the self-entitlement complex is through the goddamn roof. I get it, being on a forum where you get such amazing aftermarket firmwares and modifications at no cost to you has really gone to your head; it makes you believe that all things Android should be cheap and free but that's really not how it works.

I don't buy the "I use Lucky Patcher to block ads" BS. If you want to block ads, there's a million different ways you can use a hosts file or an app that manages the host file to do that (especially if you're concerned with traffic, that's the ideal solution).

I get the criticism with the idea of removing another app, but I don't buy for even one second that anyone thinks they are justified in pirating the app; this is the mentality that spreads and becomes a huge problem. Many of you just don't see anything wrong in circumventing a payment/compensation system, citing all sorts of reasons that range from potentially/weakly relevant to stupidly shameless.

3 years ago when I first got my HTC Hero, I pirated an app called Slide Screen because it looked really cool but I didn't want to pay for it. On the forum where I got the apk, there was a post from the developer of the app pleading with people to consider actually buying the app because he had put in a ton of effort in to it and was just trying to earn back a little extra income from all his research and self-taught Java lessons.

After that, I completely stopped using pirated apps because I understood; the Play Store is a vicious cesspool that is FULL to the brim of absolute utter crap, especially the "My First Android App"-type applications. It's very hard to gain exposure and with reverse engineering, it's even harder to maintain a unique app because of how easy it is to just turn around and modify someone else's apk and then resell it. It doesn't help that (and this only seems to happen with Android users) Android users are incredibly ignorant of the platform and downrate an *free* app for not having an extravagantly complex addition as though they are entitled to it.

Many of you spend between $300 and $600 on these devices, and many of you pay $50+ a month for a plan to go with them. Is it really so much for you to consider to spend what many call "a cheap fastfood lunch" on an app that you enjoy using, find useful, and get lifetime updates for?


Sadly, XDA users of today are completely unaware of what the "free" in "Freedom of linux" means. Gratis != libre. The freedom that linux brings to the masses is not as in free beer but free speech.

You all need to check your self-entitlement complex, it's clearly outgrown your sense of morality and logic.
The Following 16 Users Say Thank You to LiquidSolstice For This Useful Post: [ Click to Expand ]
 
LiquidSolstice
Old
#8  
LiquidSolstice's Avatar
Recognized Developer
Thanks Meter 4363
Posts: 4,563
Join Date: Jan 2008
Quote:
Originally Posted by S.D.Richards View Post
And thus you would violate the Play Store rules, since it's not allowed to alter or interfere with other apps to keep them from working as intended
That applies to other apps that are installed from the Play Store. Last I checked, Lucky Patcher isn't from the Play Store.
 
zelendel
Old
#9  
zelendel's Avatar
Moderator Committee - The Dark Knight
Thanks Meter 10819
Posts: 14,187
Join Date: Aug 2008
Location: Watching from the Shadows

 
DONATE TO ME
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?


I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

Now Get this thread back on topic and that is idea to help protect their apps.





If hard work pays off then easy work is worthless
SearchFu
Never Ask someone to do something your not willing to at least try to do yourself.
"Gotham is the work of a madman"- NunHugger Current Nexus 5-12 Nightly


The Following 5 Users Say Thank You to zelendel For This Useful Post: [ Click to Expand ]
 
Vinchenzop
Old
#10  
Vinchenzop's Avatar
Recognized Developer
Thanks Meter 9656
Posts: 5,239
Join Date: Sep 2010
Location: Hermitage, PA

 
DONATE TO ME
Quote:
Originally Posted by S.D.Richards View Post
I NEVER said it is right, on the contrary, I always take measure as good as possible if someone violates the license of my projects(looking at you bigbad router maker). But what's right/wrong doesn't matter as long as people are doing it anyway and you can't stop it.

Under your US laws drugs are illegal, well in most states, but still people get and take them. You spend billions to fight it and it did nothing except for a few dead people who quickly get replaced. It's the same with piracy, shot down one site, at least two will spawn out of the ashes. It's not right, mostly not even from a moral standpoint, but it's done anyway.

It's a fact of live, unfortunately today, the same as death. One might not like it that a loved one dies, but with current tech, it can't be stopped, so one has to cope with it.

Again, I don't want devs to stop whatever they are trying to achieve with anti-copy stuff, I just want to help them understand that there are more reasons to piracy than just don't wanting to pay. I don't pirate apps, I use free ones or get licenses for free, f.e. in exchange for my translation work. I'm in the lucky situation that I've got the money to spend, but I'm not breaking my own rules for it, either I pay, look for alternatives or if I really need it and can, do it myself. But there are people worse off than me, having money but Google doesn't even offer to buy in their country or having no money at all. Look at f.e. Africa, many people there have practically no money, but they do have smartphones. Why? Because the EU and the US ship outdated models there to help them get educated. If people pirate an app their, it might have significant positive impact on their lives, maybe it helps them get a paid job and maybe they'll thank you in the future by buying your stuff, sending you a picture of their child or whatnot - as long as you don't actively lose money on them because they are using your bandwith, I just don't see where the big problem is - a $/€ for a dev in the western world makes practically no difference, a pirated 1$ dictionary on the other hand can make a huge difference for someone in an evolving country.

Live isn't about money, even if advertisers want to sell you that huge car. It's about surviving and taking care of others and that doesn't mean just the one close to you. The world is so big and the possibilities are endless, with a small chance, some kid from India could pirate your app, educate himself using it and in the future become the single doctor who can cure your kids cancer or whatnot. Isn't that a picture worth thinking about? The chances are slim, but it's possible.
The issue that I have with your 3rd world possibility, is that there are many apps made for free by volunteers to assist in the aid of the less fortunate memebers of deprived communities/countries. These unforunate people aren't in a position to have internet access, so these second-hand devices are given, pre-loaded with educational software. They don't have access to the PlayStore, or any other site that would even give them the possibility of piracy.

While the message behind your post may pull on the heart-strings of others, it is a flawed story that is full of holes. While life isn't about money, someone expecting to receive out, what they put in, isn't an outlandish standard.


Quote:
Originally Posted by zelendel View Post
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?


I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

Now Get this thread back on topic and that is idea to help protect their apps.
Sorry, I was typing when you posted. Back on topic...protect your apps the best you can, but expect someone to make it free, because that's life.
Carrier: Verizon
Phone:HTC One Max (Current)/HTC Droid DNA/HTC EVO 4G LTE


If I've Helped You In Any Way, Please Help Someone Else



The Following 2 Users Say Thank You to Vinchenzop For This Useful Post: [ Click to Expand ]
Tags
android, crack, iap, piracy, protection
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes