Google’s response to hacking of their app protection

Google announced their new app licensing system on July 27th. Less than a month later, on August 23rd, the system had been hacked and instructions on circumventing the security were posted online.

As attention-grabbing as the announcement was, “Check it out: Google’s new DRM easily hacked!!!” Tim Bray reminds us – via the Android Developers Blog – that the “defeat” of Google’s licensing system is actually…not a big deal. After all, the licensing system was designed to allow coders to implement their own checks using Google’s infrastructure: the first released included the “most transparent imaginable sample implementation,” for the purpose of making it easy to understand for new adopters. Bray also points out that coders should be obfuscating their code.

In short, the hack probably doesn’t say as much about Google’s copy protection system as those first headlines may have seemed to indicate. Here is the blog post, which was originally posted here, in it’s entirety:

It’s been reported that someone has figured out, and published, a way to hack some Android apps to bypass our new Android Market licensing server. We’ll be saying more on this, but there are a few points that deserve to be made right now:

*The licensing service, while very young, is a significant step forward in terms of protection over the plain copy-protection facility that used to be the norm. In the how-to-pirate piece, its author wrote: “For now, Google’s Licensing Service is still, in my opinion, the best option for copy protection.”

*The licensing service provides infrastructure that developers can use to write custom authentication checks for each of their applications. The first release shipped with the simplest, most transparent imaginable sample implementation, which was written to be easy to understand and modify, rather than security-focused.

*Some developers are using this sample as-is, which makes their applications easier to attack. The attacks we’ve seen so far are also all on applications that have neglected to obfuscate their code, a practice that we strongly recommend. We’ll be publishing detailed instructions for developers on how to do this.

*The number of apps that have migrated to the licensing server at this point in time is very small. It will grow, because the server is a step forward.

*100% piracy protection is never possible in any system that runs third-party code, but the licensing server, when correctly implemented and customized for your app, is designed to dramatically increase the cost and difficulty of pirating.

*The best attack on pirates is to make their work more difficult and expensive, while simultaneously making the legal path to products straightforward, easy, and fast. Piracy is a bad business to be in when the user has a choice between easily purchasing the app and visiting an untrustworthy, black-market site.

Android Market is already a responsive, low-friction, safe way for developer to get their products to users. The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction.

Via the Android Developers Blog, by way of PhoneDog