Psym Mobile

News and Development Blog

Some thoughts on LVL and obfuscation

8 Comments

There has been quite a bit of talk recently about the new Android licencing and how it might be easily and automatically stripped from apps. I’ve been thinking a little about this and how to obfuscate the use of the licencing to improve piracy protection. The way I see it there are two main aims – prevent any kind of automatic script so at least there has to be some manual work, and secondly to make that manual work as tough as possible.

I know very little about obfuscation and piracy prevention, so I’d appreciate any feedback on whether the approach below makes sense:

Prevent automated circumvention

As far as I can gather, the trick is to change the code to always give a positive licence verification result. Looking at the sample LVL code, it looks like you pass in a package name for licence verification. My suggestion is simple – as well as checking the licence for the app, occasionally also check the licence of a package that you know will fail. If that comes back as positive, you know the app has been tampered with.

By putting the licence check in more than one location, and building the package name dynamically, so that sometimes the same check should pass and other times it should fail, I think this would fool most automated scripts.

Make it a real pain to manually change the code

Assuming the above is a valid tactic, then there is plenty you can do to make circumventing it a real pain. Multiple checks throughout the code, each behaving differently, along with obfuscation would make it a more time consuming task.

Not immediately reacting to invalid licences would also help. Instead of displaying a message or just quitting when the licence is found to be invalid, if the app continues to work for a day or two (or a certain number of uses, etc..), then it’s likely that bad releases will find their way onto piracy sites, reducing users faith in them.

Again, please correct me if you have a better understanding of this issue, or if it can be further improved.

About these ads

Author: Psym

Developer of Abduction! and the Gem Miner series.

8 thoughts on “Some thoughts on LVL and obfuscation

  1. Pingback: Some thoughts on LVL and obfuscation

  2. Hi

    Romain Guy tweeted an interesting (from 2001!) article here that discusses techniques one can use for the ‘Make it a real pain to manually change the code’ part: http://www.gamasutra.com/view/feature/3030/keeping_the_pirates_at_bay.php?page=1

  3. I think your ideas are pretty sound – I think I would go one step further with the idea of not killing the app immediately:

    Lots of apps have a free/lite version, so if someone attempts to pirate the paid for version, it should fall back to the free/lite version when a valid license is not found. Blocking gameplay eventually or all together is just punishment (not strictly wrong because the user did do something bad, but it doesn’t resolve to a positive situation), whereas giving the user the same limited functionality of the free version just shows the user you as a developer are willing to compromise.

  4. I read once an article on gamasutra where the devs of the old Spyro games for PS1 talked about their anti-piracy-code.
    If you would try to play a pirated copy of Spyro and the game would detect the changes, you could simply play about half the game. As soon as you got there the game became impossible to beat.
    Since most pirates just publish their work and never actually play through the whole game, bad releases happened, and it took the pirates about 3 months to actually get a full working copy out.

  5. Pingback: Abduction: Some thoughts on LVL and obfuscation | Android World News

  6. I just published my first ever Android game, Anti-Squish. As this is my first Android app the game is obviously completely unheard-of. However, I still tried to implement a fair bit of tamper-resistant functionality. This included encryption of data being sent to the online score server and of course the Android License Verification Library.

    I found the LVL fairly straight forward to implement utilising the in-built ServerManagedPolicy. As discussed instead of just closing the app on a licensing failure the game reverts to the Lite edition (which is actually not released yet as I still need to strip out resources and unused code for the true Lite edition). I’ve also done some pretty funky stuff with threads and handlers which hopefully make it even more difficult to locate the actual LVL code.

    As far as obfuscation goes. I went with Google’s recommendation of ProGuard via an Ant build script. Unfortunately I had some strange Ant library issues whereby Ant would only find the LVL on the first build. In the end I just copied the LVL directly into my app’s source rather than referencing it as a library.

    Obviously I don’t want my game to be pirated, however, I’d be curious to see how much difficulty my particular setup poses to potential hackers.

    If any developers out there would like some help integrating the LVL feel free to contact me via the Glass Echidna website.

  7. Then, check if this app can crack your app automatically: http://androidcracking.blogspot.com/p/antilvl.html

  8. While I understand the issue of piracy, I think that app developers that concern themselves with piracy more than the game itself have failed out the gate.

    If you make a great game, people will support you. It’s as simple as that. Stop worrying about piracy; stop worrying about “lost” sales.

    You have more to lose by an aggressive anti-piracy scheme than you have to gain by slowing down pirates. If an anti-piracy scheme ever annoys or fails for me, a paying customer, the game maker is as good as dead to me.

    It’s a senseless quest that yields no rewards. Make good games, make money. Don’t waste time trying to solve problems that can’t be solved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.