Chase Those Android App Pirate Vampires Away With Garlic
Imagine this, you are an Indie Android App Developer and do not have a lot of resources. In-fact, you probably do not even have the money resources to get your Android App name trademarked the first time you develop and application.
But, you know the app pirates will try to get your app on their phone and root their device to and try to get the de-encyrpted copy and than reverse engineer the class files and copy it over to one of those non-Google China app stores.
Would it not be nice to have a way that you could magically chase them away with no added expense? I am going to show you that way.
You know that when you sign an android application APK file that you use a self-signing key. There are only two parties that will know the hash of that signing key you and the AppStore. The other aspect is that the resulting APK file is encrypted on devices.
So we could used manifest place holders in the gradle build file to grab the hash number we assign in our local.properties or gradle.properties file that is our user.home folder to supply the hash to the manifest during a product build of the application and than just read that manifest variable when we need to use in our garlic code.
This assumes that for most purposes you only have on developer that runs production builds as an added security measure.
Basically, we are setting the hash string in our clove. than our CloveFreshness class tests if the supplied hash is correct by matching to a hash of that hash which we can query the content PackageManager for a hash of the signature hash.
I left out the Dhash class from the example for a reason so that I could explain some security aspects with this solution. Obviously we do not want that hash of our APK signing cert to fall into the wrong hands as than the game is over.
Okay, in a previous article I stated that in comparison the android device when compared to the developer’s encrypted-HD laptop and your relationship with that developer and the legal contract with that developer was more secure than the android device. So now I have to delve into what is least secure on android as opposed to secure on android at the application level.
Okay these are ordered as least secure to most:
Manifest XML files, asset files, res folder files
java compiled classes as the dex file and libs as a huge classes file
That is basically it the compiled java files due to their obfuscation and due to main core files being inside the dex file are more secure than the manifest. But, there is a key difference. If what the pirate wants to decode, decompile and understand is the dex file they not only have the proguard obfuscation obstacle but also the aspect of trying to understand dex commands.
That means if obfuscate the APK hash in one of the core class files of the application and go through the extra steps of putting unrelated code in the same class than we are rasing the bar as far as hurdles to the App Vampire Pirate.
The trade-off is you get the ability to put the app in non-Google App Stores without having an LVM server but the down side is its still not fool-proof. Its up to you the Indie Developer to weigh that risk and decide whether it is worth the risk or not.
With some simple knowledge of how the tools sign the APK file and what the PackageManager can read as far as the apk signature one can devise a simple code strategy to defeat most android application pirates.