Android Market Licensing
Tony Chan
Agenda
• What is Market Licensing?
• Architecture
• Tips for securing your Market
Licensing implementation
• How to get st...
What is Market Licensing?
Tell you whether a user is
licensed to use your application
Details…
•  Protect your app on any devices that include
the Android Market app
•  You maintain full control of how your a...
Architecture
Google
License
Server
Your App
LVL
Market App
Architecture
Bind
Signed
License
Status
User
& App
Data
User Info
Android Ph...
Tips for securing your Market
Licensing implementation
Is my app secure after adding
Market Licensing EXACTLY like
the sample code?
NO!
いいえ!
Common Mistakes
• Used the sample code as-is
• Forgot to obfuscate the code
• Did not terminate their apps properly after
...
Tips
Four areas to improve security:
• Code Obfuscation
• Modify the LVL code
• Make your application tamper-resistant
• O...
Code Obfuscation
1
responseCode -> k
checkAccess()->vw(); allow()->qb()
•  Can:
–  Remove symbols that reveal the original...
ProGuard
1
• Free, Open Source under GPL
• http://proguard.sourceforge.net
• Blog post
– http://android-developers.blogspo...
Modify the LVL code
1
The goal is to make your implementation
unique
Three areas to modify:
• Core LVL logic
• Entry/exit ...
Core LVL logic
1
Two classes - LicenseChecker and LicenseValidator
•  Replace switch statements with if statements.
•  Use...
Core LVL logic
1
public void verify(PublicKey publicKey, int responseCode, String	
signedData, String signature) {	
// ......
Core LVL logic
1
public void verify(PublicKey publicKey, int responseCode, String signedData,
String signature) {	
// ... ...
Entry/exit points of the LVL
1
• Add additional arguments constructors and methods
• Remove Policy interface if no swappab...
Proper license check and response handling
1
•  Avoid putting license check code in onCreate() as
this method cannot be ob...
Make your App Tamper-resistant
2
•  Add code to compare the current app’s signature with
the good known value (ideally fro...
Offload license validation to a trusted server
2
Instead of doing the license validation on the Android
device, do it on a...
Summary
2
•  Make your implementation is unique
•  Change it often (e.g. every release)
•  Make it difficult to trace when...
How to get started?
Signup Setup Integrate Test
Signup
•  Android Market publisher account
•  Have to use an existing account if you want to add
licensing support to your...
Setup
•  Download the latest SDK in order to debug your
implementation in the emulator
•  Setup run-time environment
•  Se...
SDK
API 8 (revision 2) or above, with Google APIs add-on
Signup Setup Integrate Test
Setup Run-time Environment
•  Device
-  Running Android 1.5 or above
-  Android Market app installed (should be
available ...
Setup Project Configuration
No changes required if your project is using
API version 3 (Android 1.5) or above
Time to upgr...
Download LVL
Signup Setup Integrate Test
Setup LVL
•  Move the library and the sample source code to a
new location (e.g. your Eclipse workspace)
Signup Setup Inte...
Setup LVL
•  Import the LVL as an Android library project
Signup Setup Integrate Test
ADT Plug-in
•  Check your current plug-in
Need new ADT if this is missing
Signup Setup Integrate Test
ADT Plug-in
•  Version 0.9.7 or above
•  https://dl-ssl.google.com/android/eclipse/
Signup Setup Integrate Test
Integrate your app with LVL
Add the licensing permission to the application
manifest
<?xml version="1.0" encoding="utf-8"?...
Integrate your app with LVL
Define a Policy
•  Use one provided in the LVL
-  ServerManagedPolicy (Recommended)
-  Will ca...
Integrate your app with LVL
Signup Setup Integrate Test
•  Add code to check license in your app’s main
activity
•  (Optio...
Test Environment
Signup Setup Integrate Test
Test Environment
Signup Setup Integrate Test
Account Type Can check
license before
upload?
Can receive test
response?
Can ...
Resources
4
•  Market Licensing developer guide
–  http://developer.android.com/guide/publishing/
licensing.html
•  Market...
Resources
4
•  LVL issue tracker
–  http://code.google.com/p/marketlicensing/issues/
•  Development and testing issues
–  ...
Google Developer Day 2010 Japan: マーケットライセンシングを使って Android アプリケーションを守るには (トニー チャン)
Upcoming SlideShare
Loading in …5
×

Google Developer Day 2010 Japan: マーケットライセンシングを使って Android アプリケーションを守るには (トニー チャン)

1,234
-1

Published on

本セッションでは、Android Market で提供されているライセンスサービスを紹介します。 最初にサービス概要を紹介したあと、Android アプリケーションにこのサービスをどのようにして設定し、統合し、そしてテストするかを解説します。さらに、このライセンスの実装をより安全にするためのいくつかのヒントを解説します。

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,234
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Google Developer Day 2010 Japan: マーケットライセンシングを使って Android アプリケーションを守るには (トニー チャン)

  1. 1. Android Market Licensing Tony Chan
  2. 2. Agenda • What is Market Licensing? • Architecture • Tips for securing your Market Licensing implementation • How to get started?
  3. 3. What is Market Licensing? Tell you whether a user is licensed to use your application
  4. 4. Details… •  Protect your app on any devices that include the Android Market app •  You maintain full control of how your app enforces its licensing status •  Straightforward integration using the License Verification Library (LVL). Any app with API version 3 or higher can use this service. •  The service is free
  5. 5. Architecture
  6. 6. Google License Server Your App LVL Market App Architecture Bind Signed License Status User & App Data User Info Android Phone Retrieve
  7. 7. Tips for securing your Market Licensing implementation
  8. 8. Is my app secure after adding Market Licensing EXACTLY like the sample code? NO! いいえ!
  9. 9. Common Mistakes • Used the sample code as-is • Forgot to obfuscate the code • Did not terminate their apps properly after receiving a NOT_LICENSED response • License validation logic was flawed (not tested thoroughly)
  10. 10. Tips Four areas to improve security: • Code Obfuscation • Modify the LVL code • Make your application tamper-resistant • Offload the license validation to a trusted server
  11. 11. Code Obfuscation 1 responseCode -> k checkAccess()->vw(); allow()->qb() •  Can: –  Remove symbols that reveal the original structure of a compiled application •  Can’t: –  Prevent automated attacks –  Alter the flow of your program •  Obfuscator –  ProGuard
  12. 12. ProGuard 1 • Free, Open Source under GPL • http://proguard.sourceforge.net • Blog post – http://android-developers.blogspot.com/2010/09/ proguard-android-and-licensing-server.html • Helper Project at code.google.com – android-proguard-commandline – Require Android SDK Tools v7 or above
  13. 13. Modify the LVL code 1 The goal is to make your implementation unique Three areas to modify: • Core LVL logic • Entry/exit points of the LVL • How your application invokes LVL and handles license response
  14. 14. Core LVL logic 1 Two classes - LicenseChecker and LicenseValidator •  Replace switch statements with if statements. •  Use hash functions to derive new values for any constants used •  Remove unused code •  Move all the LVL code into your own package •  Spawn additional threads to handle different parts of the license validation •  Replace functions with inline code where possible
  15. 15. Core LVL logic 1 public void verify(PublicKey publicKey, int responseCode, String signedData, String signature) { // ... Response validation code omitted for brevity ... switch (responseCode) { // In bytecode, LICENSED will be converted to the // constant 0x0 case LICENSED: // NOT_LICENSED will be converted to the constant 0x1 case NOT_LICENSED: handleResponse(LicenseResponse.NOT_LICENSED, data); break; // ... Extra response codes also removed for brevity ... } } Original Sample code:
  16. 16. Core LVL logic 1 public void verify(PublicKey publicKey, int responseCode, String signedData, String signature) { // ... Response validation code omitted for brevity … java.util.zip.CRC32 crc32 = new java.util.zip.CRC32(); crc32.update(responseCode); int transformedResponseCode = crc32.getValue(); // crc32(LICENSED) == 3523407757 if (transformedResponseCode == 3523407757) { LicenseResponse limiterResponse = mDeviceLimiter.isDeviceAllowed(userId); handleResponse(limiterResponse, data); } // ... put unrelated application code here ... // crc32(NOT_LICENSED) == 2768625435 if (transformedResponseCode == 2768625435) { userIsntLicensed(); } } Improved Sample code: Use a hash function to compute a new response code value Replace switch statement with if statements Add unrelated code to make it harder to reverse engineer
  17. 17. Entry/exit points of the LVL 1 • Add additional arguments constructors and methods • Remove Policy interface if no swappable policies public LicenseChecker(Context context, Policy policy, String encodedPublicKey, int nonce1, int nonce2) ... public void allow(int nonce2); ... public void dontAllow(int nonce1); ...
  18. 18. Proper license check and response handling 1 •  Avoid putting license check code in onCreate() as this method cannot be obfuscated •  Invoke a different activity rather than a dialog to inform users about license failure •  Add additional finish() statements to make sure your app is properly terminated when the user is not licensed •  Set a timer thread that will handle license check properly after a timeout
  19. 19. Make your App Tamper-resistant 2 •  Add code to compare the current app’s signature with the good known value (ideally from a server) •  Add code to compute the checksum of the current app’s files and compare it with the good known checksum (ideally from a server) •  Alter your code logic when your app is running in debug mode
  20. 20. Offload license validation to a trusted server 2 Instead of doing the license validation on the Android device, do it on a trusted server • Pro: –  Very difficult to crack –  Can do more fine-grained license check (e.g. per device) • Con: –  Effective only if your app serves online content –  You have to maintain your own server –  Harder to implement
  21. 21. Summary 2 •  Make your implementation is unique •  Change it often (e.g. every release) •  Make it difficult to trace when decompiled •  Make it resistant to any changes Be creative!
  22. 22. How to get started?
  23. 23. Signup Setup Integrate Test
  24. 24. Signup •  Android Market publisher account •  Have to use an existing account if you want to add licensing support to your already published apps •  What you can do with the publisher account: -  Publish licensed and free apps -  Obtain the public key to decrypt license responses -  Test and debug licensing implementation Signup Setup Integrate Test
  25. 25. Setup •  Download the latest SDK in order to debug your implementation in the emulator •  Setup run-time environment •  Setup project configuration •  Download and setup the LVL •  (Optional) Download the latest ADT Plug-in if you want to include the LVL as an Android library project Signup Setup Integrate Test
  26. 26. SDK API 8 (revision 2) or above, with Google APIs add-on Signup Setup Integrate Test
  27. 27. Setup Run-time Environment •  Device -  Running Android 1.5 or above -  Android Market app installed (should be available in any compatible devices) •  Emulator (Android Virtual Device) -  Google APIs Add-On, API 8 (release 2) or above -  Add a Google account and sign in using your publisher account or test account credentials Signup Setup Integrate Test
  28. 28. Setup Project Configuration No changes required if your project is using API version 3 (Android 1.5) or above Time to upgrade!!! Signup Setup Integrate Test
  29. 29. Download LVL Signup Setup Integrate Test
  30. 30. Setup LVL •  Move the library and the sample source code to a new location (e.g. your Eclipse workspace) Signup Setup Integrate Test
  31. 31. Setup LVL •  Import the LVL as an Android library project Signup Setup Integrate Test
  32. 32. ADT Plug-in •  Check your current plug-in Need new ADT if this is missing Signup Setup Integrate Test
  33. 33. ADT Plug-in •  Version 0.9.7 or above •  https://dl-ssl.google.com/android/eclipse/ Signup Setup Integrate Test
  34. 34. Integrate your app with LVL Add the licensing permission to the application manifest <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" ..."> ... <!– Devices with SDK version 3 or above have version of Android Market that supports licensing. --> <uses-sdk android:minSdkVersion="3" /> <!-- Required permission to check licensing. --> <uses-permission android:name="com.android.vending.CHECK_LICENSE" /> ... </manifest> Signup Setup Integrate Test
  35. 35. Integrate your app with LVL Define a Policy •  Use one provided in the LVL -  ServerManagedPolicy (Recommended) -  Will cache license response and handle various conditions -  StrictPolicy -  License response must come from market license server •  Pre-defined policies do not fit your needs -  Implement the Policy interface Signup Setup Integrate Test
  36. 36. Integrate your app with LVL Signup Setup Integrate Test •  Add code to check license in your app’s main activity •  (Optional) – Implement a DeviceLimiter -  Need to keep track of all the devices yourself
  37. 37. Test Environment Signup Setup Integrate Test
  38. 38. Test Environment Signup Setup Integrate Test Account Type Can check license before upload? Can receive test response? Can set test response? Publisher Account Yes Yes Yes Test Account No Yes No Other No No No
  39. 39. Resources 4 •  Market Licensing developer guide –  http://developer.android.com/guide/publishing/ licensing.html •  Market Licensing 3-part series blog posts –  http://android-developers.blogspot.com/2010/08/ licensing-server-news.html –  http://android-developers.blogspot.com/2010/09/ securing-android-lvl-applications.html –  http://android-developers.blogspot.com/2010/09/ proguard-android-and-licensing-server.html
  40. 40. Resources 4 •  LVL issue tracker –  http://code.google.com/p/marketlicensing/issues/ •  Development and testing issues –  http://groups.google.com/group/android-developers –  http://stackoverflow.com/questions/tagged/android •  Accounts, publishing, and deployment issues –  http://www.google.com/support/forum/p/Android+Market –  http://market.android.com/support/bin/answer.py? answer=186113

×