There has been quite a bit of talk recently about the new Android licencing and how it might be easily and automatically stripped from apps. I’ve been thinking a little about this and how to obfuscate the use of the licencing to improve piracy protection. The way I see it there are two main aims – prevent any kind of automatic script so at least there has to be some manual work, and secondly to make that manual work as tough as possible.
I know very little about obfuscation and piracy prevention, so I’d appreciate any feedback on whether the approach below makes sense:
Prevent automated circumvention
As far as I can gather, the trick is to change the code to always give a positive licence verification result. Looking at the sample LVL code, it looks like you pass in a package name for licence verification. My suggestion is simple – as well as checking the licence for the app, occasionally also check the licence of a package that you know will fail. If that comes back as positive, you know the app has been tampered with.
By putting the licence check in more than one location, and building the package name dynamically, so that sometimes the same check should pass and other times it should fail, I think this would fool most automated scripts.
Make it a real pain to manually change the code
Assuming the above is a valid tactic, then there is plenty you can do to make circumventing it a real pain. Multiple checks throughout the code, each behaving differently, along with obfuscation would make it a more time consuming task.
Not immediately reacting to invalid licences would also help. Instead of displaying a message or just quitting when the licence is found to be invalid, if the app continues to work for a day or two (or a certain number of uses, etc..), then it’s likely that bad releases will find their way onto piracy sites, reducing users faith in them.
Again, please correct me if you have a better understanding of this issue, or if it can be further improved.