Researchers have found a very simple method for evading the Android licensing scheme that Google uses to ensure that paid applications in its Android Market are correctly licensed.
The crack takes advantage of the fact that most Android apps are written in Java and the portion of the code that checks to see whether a particular app is properly licensed is easily identifiable and removable. The new method, which comes out just a few weeks after Google debuted its new licensing scheme, simply requires a user to add a small patch to the decompiled Java code of a given application, which will result in the licensing library thinking that the app is licensed, when it is not.
The method was described in a post on AndroidPolice, in which the author details exactly how the licensing scheme works and what a user needs to do in order to evade it. The way that the Android Market Licensing service works is fairly simple. After a user downloads and installs a paid application, the service will check with the Market server to see whether the app is licensed. If it is not, the server will return a message saying that the app must be licensed. The licensing status is stored on the Market server and is signed using a unique key pair.
The licensing crack doesn’t change the status on the Market server, but instead points the portion of the code on the Android device to a function that says the app is properly licensed.
“The important one here is 0×1, or NOT_LICENSED. By changing “0×1
-> :sswitch_de ” to “0×1 -> :sswitch_d3″ we basically point it to a
positive outcome instead, so the library tells your app the license is
actually valid. The final step is to reassemble with smali, placing the new dex file
in the apk, and re-sign it with any valid key (even test-keys),” the AndroidPolice article says.
“Even though the library knows the status is NOT_LICENSED, the
described tweak ensures the application will receive a LICENSED result
instead and believe that it is, in fact, licensed. This method is so
simple, even a novice programmer could write a script to automatically
patch most apps.”
The net result of this method is that Android users would have the ability to “side-load” unauthorized or pirated applications, which of course prevents the app developer from getting paid for his creation. The AndroidPolice site also has a video demo of the method.
In the documentation for the licensing scheme, Google makes it clear that developers should take steps to make it more difficult for users to pirate their applications.
“To ensure the security of your application, particularly for a paid
application that uses licensing and/or custom constraints and protections, it’s
very important to obfuscate your application code. Properly obfuscating your
code makes it more difficult for a malicious user to decompile the application’s
bytecode, modify it — such as by removing the license check —
and then recompile it,” the documentation says.