Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Info 2 [GUIDE][IDEAS] Protecting your app from the main piracy circumvention methods

OP Quinny899

15th May 2013, 03:49 PM   |  #1  
Quinny899's Avatar
OP Recognized Contributor
Flag Bolton le Sands, Near Lancaster, UK
Thanks Meter: 3,953
 
6,318 posts
Join Date:Joined: Jan 2011
Donate to Me
More
There's a few easy methods anyone could use to crack the protection of your app that you worked very hard on, and in the same way there's methods to stop this from happening as well

The first one, the big one, there's the app "Lucky Patcher". What this app does is patches the dalvik files to tell the app that it's activated, even if the Play Store disagrees. There's two ways of protecting from this:

Implement a simple piece of code to check if Lucky Patcher is installed, and if it is, force the user to uninstall it (But by then it might be too late!)
Here's a sample piece of code that stops the user from opening the app if Lucky Patcher is installed and prompts them to uninstall it
Code:
public void checkLP(){
    android.content.pm.PackageManager mPm = getPackageManager();
    try {
        PackageInfo info = mPm.getPackageInfo("com.chelpus.lackypatch", 0);
        if(info != null){
            AlertDialog.Builder ad3 = new AlertDialog.Builder(this);

            ad3.setCancelable(false);
            ad3.setTitle("Lucky Patcher");
            ad3.setMessage("I have detected the presense of the app 'Lucky Patcher', which could be used maliciously within this app. You need to uninstall it to continue");
            ad3.setPositiveButton("OK", new DialogInterface.OnClickListener() {
                
                @override
                public void onClick(DialogInterface dialog, int which) {
                    // TODO Auto-generated method stub
                    startActivity(new Intent(MainActivity.this, LpUninstallActivity.class));
                    finish();
            }});
            
            AlertDialog alertDialog3 = ad3.create();
            alertDialog3.show();
        }
    } catch (NameNotFoundException e) {
        // TODO Auto-generated catch block
        return;
    }
    
}


Once you've implemented this code, call checkLP(); in your code where you need it, and add a UninstallLpActivity.class to respond to the user pressing OK, which uninstalls it (automatically if you have root, manually if you don't) and then returns the user to the main activity, at which point it checks again

However, this will not always work. What happens if the user patches it and then uninstalls Lucky Patcher? What then? What about if they patched the apk itself?

That's where method 2 comes in.

For method 2, the alternative is to download an unpatched version of your app from the internet and install it on top, either automatically if you have root (Which is recommended where possible) or manually, which could lead to you hitting issues with signatures

I don't have the code for this one, but the best way is with RootTools to call a download normally and then use "pm install -r" to overwrite it. Note that Lucky Patcher also has a method that adds ODEX files to /data/app/ which you will want to remove also



But I don't have a paid version, only IAPs and people are using Freedom!
Freedom is a complex app that circumvents the Play Store and makes the app think it's been bought when it hasn't. There's two very similar and simple ways to stop Freedom working though, both of which need root (which is fine, because Freedom needs root anyway)

1.) Just stop freedom, kill its service and hopefully stop it from working
Again, I recommend RootTools to make this easier.
When your activity with IAPs starts, call a command that runs the following:
Code:
pkill cc.cz.madkite.freedom
This will stop the freedom app from running and hopefully stop the user from using it to crack purchases

2.) The better, more permanent method, forcibly uninstall freedom
Again, I recommend RootTools to make this easier.
In your class with IAPs, add the following code:
Code:
public void checkFreedom(){
    android.content.pm.PackageManager mPm = getPackageManager();
    try {
        PackageInfo info = mPm.getPackageInfo("cc.cz.madkite.freedom", 0);
        if(info != null){
            AlertDialog.Builder ad3 = new AlertDialog.Builder(this);

            ad3.setCancelable(false);
            ad3.setTitle("Freedom");
            ad3.setMessage("I have detected the presense of the app 'Freedom', which could be used maliciously within this section of the app. You need to uninstall it to continue");
            ad3.setPositiveButton("OK", new DialogInterface.OnClickListener() {
                
                @override
                public void onClick(DialogInterface dialog, int which) {
                    // TODO Auto-generated method stub
                    startActivity(new Intent(IapActivity.this, FreedomUninstallActivity.class));
                    finish();
            }});
            
            AlertDialog alertDialog3 = ad3.create();
            alertDialog3.show();
        }
    } catch (NameNotFoundException e) {
        // TODO Auto-generated catch block
        return;
    }
    
}
And then call it where you want to with checkFreedom();
Similar to the Lucky Patcher one, you need a second class that uninstalls it. Mine is as simple as follows:

Code:
import java.io.IOException;
import java.util.concurrent.TimeoutException;

import android.app.Activity;
import android.app.ProgressDialog;
import android.content.Intent;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuInflater;
import android.view.MenuItem;
import android.view.View;
import android.widget.CheckBox;
import android.widget.Toast;

import com.stericson.RootTools.*;
import com.stericson.RootTools.exceptions.RootDeniedException;
import com.stericson.RootTools.execution.CommandCapture;

public class FreedomUninstallActivity extends Activity{
CheckBox RootCheckBox;
CheckBox BusyboxCheckBox; 


    @override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        ProgressDialog dialog =
        ProgressDialog.show(FreedomUninstallActivity.this, "", "Uninstalling Freedom...", true);
        dialog.setCancelable(false);
        dialog.show();
        dialog.setMessage("Uninstalling Freedom..."); 
        CommandCapture command = new CommandCapture(0, "pm uninstall cc.cz.madkite.freedom");
        

        try {
            RootTools.getShell(true).add(command).waitForFinish();
        } catch (InterruptedException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (TimeoutException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (RootDeniedException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        
        
        startActivity(new Intent(this, IapActivity.class));
        finish();
        
        
    }
    

}
This uses root to uninstall it, which is easiest because the user cannot press cancel, then loops back around to check again to make sure it worked

Finally, and most importantly, obfuscate.
Even the biggest pirates I've seen haven't ever tried to crack apps that use other methods and are obfuscated. Therefore, best practice where possible is to obfuscate, or even just run it from a remote server on a secure connection. ProGuard instructions are available here

Help! They still get past it
Use the good old methods of reporting then, try and keep the amount of people who are able to download it illegitimately to a minimum

Further ideas:
Improve the reinstall because of Lucky Patcher by just re-building the dex file - Looking into it

Further reading:
Android Developers site on best practices for in app billing
The Following 17 Users Say Thank You to Quinny899 For This Useful Post: [ View ]
22nd May 2013, 07:23 PM   |  #2  
Quinny899's Avatar
OP Recognized Contributor
Flag Bolton le Sands, Near Lancaster, UK
Thanks Meter: 3,953
 
6,318 posts
Join Date:Joined: Jan 2011
Donate to Me
More
Quote:
Originally Posted by e3d


I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?



if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?






If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.



You ever heard of ethics? I've never seen much worse ethics for programming.


you do not have to care about other apps on a system.

Isn't Freedom what linux is about.?



*for all devs who want to use OP's "solution".

---------- Post added at 06:36 PM ---------- Previous post was at 06:28 PM ----------



Same here.

If you have root, use a system wide thing, don't support an app that incorporates piracy methods

And "why are you on a forum which allows freedom"
Read the goddamn rules, we don't allow that kind of stuff, it's warez and illegal

Also, I don't think you understand what I'm doing by uninstalling it here. I'm protecting my rights, not 'uninstalling a competitor' as you compare it to.

Meanwhile, I'm about to have a mod clean out this thread, including this post
Last edited by Quinny899; 22nd May 2013 at 07:27 PM.
The Following 7 Users Say Thank You to Quinny899 For This Useful Post: [ View ]
22nd May 2013, 07:32 PM   |  #3  
Senior Member
Flag Vienna
Thanks Meter: 679
 
932 posts
Join Date:Joined: Sep 2011
Quote:
Originally Posted by e3d

I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?
if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?

If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.

You ever heard of ethics? I've never seen much worse ethics for programming.

you do not have to care about other apps on a system.

Isn't Freedom what linux is about?

How the hell did you guys get into developers forum?
Removing ads is the same way illegal than pirating an entire app.

Quote:
Originally Posted by awaaas

A simple apk can't install/replace system app? Google "Google Play Store Installer by Chelpus" and you'll be suprised...

And about the people awareness, what about "third-world" countries? Credit card is usually not available...
They want to buy, but they can't pay you. Now Google Indonesia is starting to offer payment by phone credit (only one carrier for now), and some of my friends is starting to buy games and apps if they like it (some apps is "tried" first though)

I specifically set prices very low in countries with less developed economy. I would even offer my app for free in some countries if google would let me.
The Following 2 Users Say Thank You to superkoal For This Useful Post: [ View ]
22nd May 2013, 07:46 PM   |  #4  
SifJar's Avatar
Senior Member
Thanks Meter: 245
 
588 posts
Join Date:Joined: Jul 2009
I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://forum.xda-developers.com/show...90&postcount=9

Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).

*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.
The Following 2 Users Say Thank You to SifJar For This Useful Post: [ View ]
22nd May 2013, 07:47 PM   |  #5  
Quinny899's Avatar
OP Recognized Contributor
Flag Bolton le Sands, Near Lancaster, UK
Thanks Meter: 3,953
 
6,318 posts
Join Date:Joined: Jan 2011
Donate to Me
More
Quote:
Originally Posted by SifJar

I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://forum.xda-developers.com/show...90&postcount=9

Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).

*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.

There's ways of checking if it uses the debug key, which I believe Lucky Patcher signs with, see here:
http://stackoverflow.com/questions/5...-app-signature
The Following 3 Users Say Thank You to Quinny899 For This Useful Post: [ View ]
22nd May 2013, 08:50 PM   |  #6  
m11kkaa's Avatar
Recognized Contributor
Thanks Meter: 1,473
 
983 posts
Join Date:Joined: Jan 2011
Donate to Me
More
If your app is a game and it's completely native(unity3d, cocos2dx,...) you could do the following:
1) do license checks from within native code(.so file)
2) check signature of apk file from within native code and kill app if it's not valid
3) sign your native libraries and do self checks before execution to prevent people from editing asm code.
The Following 3 Users Say Thank You to m11kkaa For This Useful Post: [ View ]
23rd May 2013, 12:10 AM   |  #7  
LiquidSolstice's Avatar
Recognized Developer
Thanks Meter: 4,510
 
4,697 posts
Join Date:Joined: Jan 2008
More
Wow, some of you guys...

God forbid a developer expect that you compensate him/her for hard work on an application.

If it's worth it for you to go through the trouble of getting outside of the Play Store, cracking it, and sideloading it, clearly it's worth it to you enough to actually pay for it.

As usual with so many Android users, the self-entitlement complex is through the goddamn roof. I get it, being on a forum where you get such amazing aftermarket firmwares and modifications at no cost to you has really gone to your head; it makes you believe that all things Android should be cheap and free but that's really not how it works.

I don't buy the "I use Lucky Patcher to block ads" BS. If you want to block ads, there's a million different ways you can use a hosts file or an app that manages the host file to do that (especially if you're concerned with traffic, that's the ideal solution).

I get the criticism with the idea of removing another app, but I don't buy for even one second that anyone thinks they are justified in pirating the app; this is the mentality that spreads and becomes a huge problem. Many of you just don't see anything wrong in circumventing a payment/compensation system, citing all sorts of reasons that range from potentially/weakly relevant to stupidly shameless.

3 years ago when I first got my HTC Hero, I pirated an app called Slide Screen because it looked really cool but I didn't want to pay for it. On the forum where I got the apk, there was a post from the developer of the app pleading with people to consider actually buying the app because he had put in a ton of effort in to it and was just trying to earn back a little extra income from all his research and self-taught Java lessons.

After that, I completely stopped using pirated apps because I understood; the Play Store is a vicious cesspool that is FULL to the brim of absolute utter crap, especially the "My First Android App"-type applications. It's very hard to gain exposure and with reverse engineering, it's even harder to maintain a unique app because of how easy it is to just turn around and modify someone else's apk and then resell it. It doesn't help that (and this only seems to happen with Android users) Android users are incredibly ignorant of the platform and downrate an *free* app for not having an extravagantly complex addition as though they are entitled to it.

Many of you spend between $300 and $600 on these devices, and many of you pay $50+ a month for a plan to go with them. Is it really so much for you to consider to spend what many call "a cheap fastfood lunch" on an app that you enjoy using, find useful, and get lifetime updates for?


Sadly, XDA users of today are completely unaware of what the "free" in "Freedom of linux" means. Gratis != libre. The freedom that linux brings to the masses is not as in free beer but free speech.

You all need to check your self-entitlement complex, it's clearly outgrown your sense of morality and logic.
The Following 17 Users Say Thank You to LiquidSolstice For This Useful Post: [ View ]
23rd May 2013, 12:14 AM   |  #8  
LiquidSolstice's Avatar
Recognized Developer
Thanks Meter: 4,510
 
4,697 posts
Join Date:Joined: Jan 2008
More
Quote:
Originally Posted by S.D.Richards

And thus you would violate the Play Store rules, since it's not allowed to alter or interfere with other apps to keep them from working as intended

That applies to other apps that are installed from the Play Store. Last I checked, Lucky Patcher isn't from the Play Store.
24th May 2013, 02:16 AM   |  #9  
zelendel's Avatar
Moderator Committee - The Dark Knight
Flag Watching from the Shadows
Thanks Meter: 11,810
 
15,299 posts
Join Date:Joined: Aug 2008
Donate to Me
More
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?


I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

Now Get this thread back on topic and that is idea to help protect their apps.
The Following 5 Users Say Thank You to zelendel For This Useful Post: [ View ]
24th May 2013, 02:25 AM   |  #10  
Vinchenzop's Avatar
Recognized Developer
Flag Hermitage, PA
Thanks Meter: 9,679
 
5,239 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by S.D.Richards

I NEVER said it is right, on the contrary, I always take measure as good as possible if someone violates the license of my projects(looking at you bigbad router maker). But what's right/wrong doesn't matter as long as people are doing it anyway and you can't stop it.

Under your US laws drugs are illegal, well in most states, but still people get and take them. You spend billions to fight it and it did nothing except for a few dead people who quickly get replaced. It's the same with piracy, shot down one site, at least two will spawn out of the ashes. It's not right, mostly not even from a moral standpoint, but it's done anyway.

It's a fact of live, unfortunately today, the same as death. One might not like it that a loved one dies, but with current tech, it can't be stopped, so one has to cope with it.

Again, I don't want devs to stop whatever they are trying to achieve with anti-copy stuff, I just want to help them understand that there are more reasons to piracy than just don't wanting to pay. I don't pirate apps, I use free ones or get licenses for free, f.e. in exchange for my translation work. I'm in the lucky situation that I've got the money to spend, but I'm not breaking my own rules for it, either I pay, look for alternatives or if I really need it and can, do it myself. But there are people worse off than me, having money but Google doesn't even offer to buy in their country or having no money at all. Look at f.e. Africa, many people there have practically no money, but they do have smartphones. Why? Because the EU and the US ship outdated models there to help them get educated. If people pirate an app their, it might have significant positive impact on their lives, maybe it helps them get a paid job and maybe they'll thank you in the future by buying your stuff, sending you a picture of their child or whatnot - as long as you don't actively lose money on them because they are using your bandwith, I just don't see where the big problem is - a $/€ for a dev in the western world makes practically no difference, a pirated 1$ dictionary on the other hand can make a huge difference for someone in an evolving country.

Live isn't about money, even if advertisers want to sell you that huge car. It's about surviving and taking care of others and that doesn't mean just the one close to you. The world is so big and the possibilities are endless, with a small chance, some kid from India could pirate your app, educate himself using it and in the future become the single doctor who can cure your kids cancer or whatnot. Isn't that a picture worth thinking about? The chances are slim, but it's possible.

The issue that I have with your 3rd world possibility, is that there are many apps made for free by volunteers to assist in the aid of the less fortunate memebers of deprived communities/countries. These unforunate people aren't in a position to have internet access, so these second-hand devices are given, pre-loaded with educational software. They don't have access to the PlayStore, or any other site that would even give them the possibility of piracy.

While the message behind your post may pull on the heart-strings of others, it is a flawed story that is full of holes. While life isn't about money, someone expecting to receive out, what they put in, isn't an outlandish standard.


Quote:
Originally Posted by zelendel

Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?


I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

Now Get this thread back on topic and that is idea to help protect their apps.

Sorry, I was typing when you posted. Back on topic...protect your apps the best you can, but expect someone to make it free, because that's life.

The Following 2 Users Say Thank You to Vinchenzop For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
android, crack, iap, piracy, protection
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes