[GUIDE][IDEAS] Protecting your app from the main piracy circumvention methods

Quinny899 · May 15, 2013

There's a few easy methods anyone could use to crack the protection of your app that you worked very hard on, and in the same way there's methods to stop this from happening as well

The first one, the big one, there's the app "Lucky Patcher". What this app does is patches the dalvik files to tell the app that it's activated, even if the Play Store disagrees. There's two ways of protecting from this:

Implement a simple piece of code to check if Lucky Patcher is installed, and if it is, force the user to uninstall it (But by then it might be too late!)
Here's a sample piece of code that stops the user from opening the app if Lucky Patcher is installed and prompts them to uninstall it

Once you've implemented this code, call checkLP(); in your code where you need it, and add a UninstallLpActivity.class to respond to the user pressing OK, which uninstalls it (automatically if you have root, manually if you don't) and then returns the user to the main activity, at which point it checks again

However, this will not always work. What happens if the user patches it and then uninstalls Lucky Patcher? What then? What about if they patched the apk itself?

That's where method 2 comes in.

For method 2, the alternative is to download an unpatched version of your app from the internet and install it on top, either automatically if you have root (Which is recommended where possible) or manually, which could lead to you hitting issues with signatures

I don't have the code for this one, but the best way is with RootTools to call a download normally and then use "pm install -r" to overwrite it. Note that Lucky Patcher also has a method that adds ODEX files to /data/app/ which you will want to remove also

But I don't have a paid version, only IAPs and people are using Freedom! :crying:
Freedom is a complex app that circumvents the Play Store and makes the app think it's been bought when it hasn't. There's two very similar and simple ways to stop Freedom working though, both of which need root (which is fine, because Freedom needs root anyway)

1.) Just stop freedom, kill its service and hopefully stop it from working
Again, I recommend RootTools to make this easier.
When your activity with IAPs starts, call a command that runs the following:

Code:

pkill cc.cz.madkite.freedom

This will stop the freedom app from running and hopefully stop the user from using it to crack purchases

2.) The better, more permanent method, forcibly uninstall freedom
Again, I recommend RootTools to make this easier.
In your class with IAPs, add the following code:

And then call it where you want to with checkFreedom();
Similar to the Lucky Patcher one, you need a second class that uninstalls it. Mine is as simple as follows:

This uses root to uninstall it, which is easiest because the user cannot press cancel, then loops back around to check again to make sure it worked

Finally, and most importantly, obfuscate.
Even the biggest pirates I've seen haven't ever tried to crack apps that use other methods and are obfuscated. Therefore, best practice where possible is to obfuscate, or even just run it from a remote server on a secure connection. ProGuard instructions are available here

Help! They still get past it
Use the good old methods of reporting then, try and keep the amount of people who are able to download it illegitimately to a minimum

Further ideas:
Improve the reinstall because of Lucky Patcher by just re-building the dex file - Looking into it

Further reading:
Android Developers site on best practices for in app billing

Quinny899 · May 22, 2013

e3d said:
I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?

if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?

If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.

You ever heard of ethics? I've never seen much worse ethics for programming.

you do not have to care about other apps on a system.

Isn't Freedom what linux is about.?

*for all devs who want to use OP's "solution".

---------- Post added at 06:36 PM ---------- Previous post was at 06:28 PM ----------

Same here.

If you have root, use a system wide thing, don't support an app that incorporates piracy methods

And "why are you on a forum which allows freedom"
Read the goddamn rules, we don't allow that kind of stuff, it's warez and illegal

Also, I don't think you understand what I'm doing by uninstalling it here. I'm protecting my rights, not 'uninstalling a competitor' as you compare it to.

Meanwhile, I'm about to have a mod clean out this thread, including this post

superkoal · May 22, 2013

e3d said:
I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?
if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?

If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.

You ever heard of ethics? I've never seen much worse ethics for programming.

you do not have to care about other apps on a system.

Isn't Freedom what linux is about?

How the hell did you guys get into developers forum?
Removing ads is the same way illegal than pirating an entire app.

awaaas said:
A simple apk can't install/replace system app? Google "Google Play Store Installer by Chelpus" and you'll be suprised...

And about the people awareness, what about "third-world" countries? Credit card is usually not available...
They want to buy, but they can't pay you. Now Google Indonesia is starting to offer payment by phone credit (only one carrier for now), and some of my friends is starting to buy games and apps if they like it (some apps is "tried" first though)

I specifically set prices very low in countries with less developed economy. I would even offer my app for free in some countries if google would let me.

SifJar · May 22, 2013

I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://xdaforums.com/showpost.php?p=41581990&postcount=9

Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).

*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.

Quinny899 · May 22, 2013

SifJar said:
I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://xdaforums.com/showpost.php?p=41581990&postcount=9

Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).

*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.

There's ways of checking if it uses the debug key, which I believe Lucky Patcher signs with, see here:
http://stackoverflow.com/questions/5578871/android-how-to-get-app-signature

m11kkaa · May 22, 2013

If your app is a game and it's completely native(unity3d, cocos2dx,...) you could do the following:
1) do license checks from within native code(.so file)
2) check signature of apk file from within native code and kill app if it's not valid
3) sign your native libraries and do self checks before execution to prevent people from editing asm code.

LiquidSolstice · May 22, 2013

Wow, some of you guys...

God forbid a developer expect that you compensate him/her for hard work on an application.

If it's worth it for you to go through the trouble of getting outside of the Play Store, cracking it, and sideloading it, clearly it's worth it to you enough to actually pay for it.

As usual with so many Android users, the self-entitlement complex is through the goddamn roof. I get it, being on a forum where you get such amazing aftermarket firmwares and modifications at no cost to you has really gone to your head; it makes you believe that all things Android should be cheap and free but that's really not how it works.

I don't buy the "I use Lucky Patcher to block ads" BS. If you want to block ads, there's a million different ways you can use a hosts file or an app that manages the host file to do that (especially if you're concerned with traffic, that's the ideal solution).

I get the criticism with the idea of removing another app, but I don't buy for even one second that anyone thinks they are justified in pirating the app; this is the mentality that spreads and becomes a huge problem. Many of you just don't see anything wrong in circumventing a payment/compensation system, citing all sorts of reasons that range from potentially/weakly relevant to stupidly shameless.

3 years ago when I first got my HTC Hero, I pirated an app called Slide Screen because it looked really cool but I didn't want to pay for it. On the forum where I got the apk, there was a post from the developer of the app pleading with people to consider actually buying the app because he had put in a ton of effort in to it and was just trying to earn back a little extra income from all his research and self-taught Java lessons.

After that, I completely stopped using pirated apps because I understood; the Play Store is a vicious cesspool that is FULL to the brim of absolute utter crap, especially the "My First Android App"-type applications. It's very hard to gain exposure and with reverse engineering, it's even harder to maintain a unique app because of how easy it is to just turn around and modify someone else's apk and then resell it. It doesn't help that (and this only seems to happen with Android users) Android users are incredibly ignorant of the platform and downrate an *free* app for not having an extravagantly complex addition as though they are entitled to it.

Many of you spend between $300 and $600 on these devices, and many of you pay $50+ a month for a plan to go with them. Is it really so much for you to consider to spend what many call "a cheap fastfood lunch" on an app that you enjoy using, find useful, and get lifetime updates for?

Sadly, XDA users of today are completely unaware of what the "free" in "Freedom of linux" means. Gratis != libre. The freedom that linux brings to the masses is not as in free beer but free speech.

You all need to check your self-entitlement complex, it's clearly outgrown your sense of morality and logic.

LiquidSolstice · May 22, 2013

S.D.Richards said:
And thus you would violate the Play Store rules, since it's not allowed to alter or interfere with other apps to keep them from working as intended

That applies to other apps that are installed from the Play Store. Last I checked, Lucky Patcher isn't from the Play Store.

zelendel · May 24, 2013

Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?

I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

Now Get this thread back on topic and that is idea to help protect their apps.

Vinchenzop · May 24, 2013

S.D.Richards said:
I NEVER said it is right, on the contrary, I always take measure as good as possible if someone violates the license of my projects(looking at you bigbad router maker). But what's right/wrong doesn't matter as long as people are doing it anyway and you can't stop it.

Under your US laws drugs are illegal, well in most states, but still people get and take them. You spend billions to fight it and it did nothing except for a few dead people who quickly get replaced. It's the same with piracy, shot down one site, at least two will spawn out of the ashes. It's not right, mostly not even from a moral standpoint, but it's done anyway.

It's a fact of live, unfortunately today, the same as death. One might not like it that a loved one dies, but with current tech, it can't be stopped, so one has to cope with it.

Again, I don't want devs to stop whatever they are trying to achieve with anti-copy stuff, I just want to help them understand that there are more reasons to piracy than just don't wanting to pay. I don't pirate apps, I use free ones or get licenses for free, f.e. in exchange for my translation work. I'm in the lucky situation that I've got the money to spend, but I'm not breaking my own rules for it, either I pay, look for alternatives or if I really need it and can, do it myself. But there are people worse off than me, having money but Google doesn't even offer to buy in their country or having no money at all. Look at f.e. Africa, many people there have practically no money, but they do have smartphones. Why? Because the EU and the US ship outdated models there to help them get educated. If people pirate an app their, it might have significant positive impact on their lives, maybe it helps them get a paid job and maybe they'll thank you in the future by buying your stuff, sending you a picture of their child or whatnot - as long as you don't actively lose money on them because they are using your bandwith, I just don't see where the big problem is - a $/€ for a dev in the western world makes practically no difference, a pirated 1$ dictionary on the other hand can make a huge difference for someone in an evolving country.

Live isn't about money, even if advertisers want to sell you that huge car. It's about surviving and taking care of others and that doesn't mean just the one close to you. The world is so big and the possibilities are endless, with a small chance, some kid from India could pirate your app, educate himself using it and in the future become the single doctor who can cure your kids cancer or whatnot. Isn't that a picture worth thinking about? The chances are slim, but it's possible.

The issue that I have with your 3rd world possibility, is that there are many apps made for free by volunteers to assist in the aid of the less fortunate memebers of deprived communities/countries. These unforunate people aren't in a position to have internet access, so these second-hand devices are given, pre-loaded with educational software. They don't have access to the PlayStore, or any other site that would even give them the possibility of piracy.

While the message behind your post may pull on the heart-strings of others, it is a flawed story that is full of holes. While life isn't about money, someone expecting to receive out, what they put in, isn't an outlandish standard.

zelendel said:
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?

I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

Now Get this thread back on topic and that is idea to help protect their apps.

Sorry, I was typing when you posted. Back on topic...protect your apps the best you can, but expect someone to make it free, because that's life.

Magissia · May 24, 2013

Checking app's integrity can make two in one, check if it got corrupted in anyway, check if it was patched.

A popup can then, in case of failled check, tell that app is corrupted because it failled integrity check (even if it was not corrupted and just patched, integrity point of view, it's corrupted)

This check should happen at startup and a second time somewhere else to make it look "random", this way it will be more annoying for the cracker to disable this integrity check.

Please keep in mind you'll have to redo checks on your side for each updates.

Another solution may be to require direct account auth, and have a backend server to check if user's account correspond a buyer's mail. This method should not be used with an app not supposed to use internet (because it will be really annoying for the user if trying to use it without a data plan)

Please note i don't know if you get all users mails or only when they refund, may not be applicable, just an idea.

Hope it helps anyone.

Regards

Tolriq · May 24, 2013

Moderation was made with a chainsaw

About anti piracy techniques, one of the most effective thing as stated before in this thread is not to kill the app at start and put big messages.
Those are easy to spot and remove.

95% of the hackers that will allow mass distribution of your app won't be users of your app, they just fill requests for the fame.
So adding random checks at places that only real users will trigger is the easy way to go.
You can still let some honeypot easy to track for those, so they think they have cracked the app.

Currently my app is tell to be cracked and spread a lot to internet at each of my release.
But the app is not really cracked it does all the free version support, leading to more installs of a functional app leading users to love your app and then buy it if they can, others would in fact never buy an app so are not good users.
This also brings a lots of publicity, since each time the "hackers" post your app there's a full description with links to PlayStore and your website if you have one.

Piracy is not bad it's free ads

Simple checks on crc and signature are obvious to defeat, don't use them as a boolean test but use those values to calculate other one that are useful elsewhere (Easier to do with signature that don't change, crc needs implementing a custom ant build and tools

)

coolbud012 · May 24, 2013

Just my own opinion guys, dont you think the user would delete our app instead of removing lucky patcher or freedom?
Also what if he has replaced his market/play store with the cracked version one?

Quinny899 · May 24, 2013

coolbud012 said:
Just my own opinion guys, dont you think the user would delete our app instead of removing lucky patcher or freedom?
Also what if he has replaced his market/play store with the cracked version one?

I believe Google now protect from the cracked play store on its servers, and if they do, that's their choice. You'd make no money either way

coolbud012 · May 24, 2013

Quinny899 said:
I believe Google now protect from the cracked play store on its servers, and if they do, that's their choice. You'd make no money either way

Cracked Play Store is still working...Beside play store what about the other things which I mentioned.

S.D.Richards · May 24, 2013

I believe a pirating user will more likely delete a not working app and look for an alternative then remove LP. Reason is simple, there are usually more app alternatives than to LP. In theory, this behaviour could be a bad thing, if he's one of the try-before-buy people and ends up buying an alternative from another dev.

As far as random checks based on user input or after some time goes, at least for the former there are automated solutions which hit every button, enter all kinds of data in fields, etc. Basically fuzzy vulnerability search tweaked for user input. So if you want to use that, you've got to think long and hard to not scare of legitamte customers.

Self checks are hard to implement in a strong and resistent way, plus your rating can go from 5 to 1 if you ever forget to do it, so you better make sure to add it to your buildsystem.

Tolriq · May 24, 2013

If an hacker have time to build an automated test solution for the app to validate that every action result in the correct result then :

- This is the best hacker in the world so nothing will stop him

- He does much more than even me can do on my apps and I'd gladly ask for his test solution

And Yatse is still 5 stars so when things are correctly done hackers makes ads for you and users are happy and buy your app

S.D.Richards · May 24, 2013

Tolriq said:
If an hacker have time to build an automated test solution for the app to validate that every action result in the correct result then :

- This is the best hacker in the world so nothing will stop him
- He does much more than even me can do on my apps and I'd gladly ask for his test solution

And Yatse is still 5 stars so when things are correctly done hackers makes ads for you and users are happy and buy your app

These solutions already exist, at least for normal PC-software. Don't know if anyone ported this to android, but it would be trivial. Of course, mostly this stuff is used for legitimate tests of software, but there's no reason to use it against some checks. Android software is usually pretty easy to decompile or otherwise reverse engineer, so it's rather easy to plug stuff in.

If it makes sense to use something like that against a $1 app is another question, but with today's hardware it's also no effort to check multiple apps in different vms at the same time.

Tolriq · May 24, 2013

So you really are the kind of guys that always want to be right and have the last word to get this thread purged again ? (Please don't answer to this)

Test units exist for a long time and will for life

But do you have any idea of the time needed to write those tests ?
Fully automated tests don't exist since you have to provide them with the waited result, a test that check that something happens on a button click is irrelevant in our case since this is exactly the trick, the result will not be the same but the action will work....
Like returning only half of the results on a query ?

Of course if you make a poor fart app with only one button there's nothing to be done (apart stop doing such apps

).

Using code coverage tools would be more efficient for the hackers and would work better .....

So as all have already agreed there's nothing you can do against someone that really want to hack an app on Android, you can only do (and it's recommended) some basics things not too hard to implement but still making the work for basic hackers (like all script kiddies) too long to worth it.

And doing those checks out of the non real user path will always finish to a poorly cracked application that will spread making you ads and giving you more users, and even if after a real correct cracked version goes out, it's already too late, the first one was spread and is referenced everywhere users will have more chance to find the bad one and became legit users.

jpepin · May 24, 2013

zelendel said:
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?

There is no argument that developers have the right to protect their work. But there are plenty of reasons to not spend time and effort on developing and testing anti-piracy solutions that will inevitably be cracked. The question really boils down to cost versus benefit. How much money are you really losing, and how valuable is your time? For some developers, investing in novel anti-piracy solutions is worth it. For others, it's time that could be better spent improving their app.

I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.

That is just one man's opinion. I personally don't think it's a great idea. The fact is, it's up to the individual developer to make that choice.

Now Get this thread back on topic and that is idea to help protect their apps.

Deciding not to invest too much effort in protecting your app is ABSOLUTELY on topic, because it's another alternative. Many of the comments made in the discussion of this post (found here: http://www.xda-developers.com/android/preventing-app-piracy-join-the-discussion/) reiterate exactly what I said. I can only assume that my original response in this thread was removed for having a different opinion, which leads me to wonder what other legitimate comments have been censored because a moderator has a personal disagreement.

[GUIDE][IDEAS] Protecting your app from the main piracy circumvention methods

Recognized Developer / Recognized Contributor

Recognized Developer / Recognized Contributor

Senior Member

Senior Member

Recognized Developer / Recognized Contributor

Recognized Dev / Inactive Recognized Contributor

Inactive Recognized Developer

Inactive Recognized Developer

Senior Member

Inactive Recognized Developer

Senior Member

Senior Member

Senior Member

Recognized Developer / Recognized Contributor

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Similar threads

Top Liked Posts