Discussion:
I've found a way to stop piracy of my apps
(too old to reply)
dadical
2010-05-04 21:20:18 UTC
Permalink
I've spent the last few weeks developing a new tool to stop piracy of
my paid apps on the Android Market. In a nutshell, licensing is tied
directly to purchase verification. There is no license server to
manage, no key for the user to enter. User experience is basically
uninterrupted from normal application purchase.

I'm excited about this, as my paid apps are now reaching piracy rates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).

Android Market is the only supported purchase validation target so
far. Others will be forthcoming if demand warrants.

This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.

You can find a write up, download, and purchasing information here:
http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing

I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
westmeadboy
2010-05-05 11:48:02 UTC
Permalink
Non-Android Market solutions would be more interesting to me.

I'd like some way to stick an apk on my website and allow users to pay
using paypal. Everything else would work seamlessly...
Post by dadical
I've spent the last few weeks developing a new tool to stop piracy of
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reaching piracy rates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-05 14:21:53 UTC
Permalink
That's a cool use case, but I'm curious about how commonly people sell
apps that way. Are you doing this because of the limitations of where
Android offers paid apps? Is it because of the costs involved in
doing transactions on Android Market?

I think that the value offered by Android Market only begins to be
realized when your app makes into the rotation within the top 25 or so
of any particular category. Said another way, 30% overhead is worth
it if your volume is high enough.

AAL is modular and can have additional validation targets, so doing
validation through PayPal should be possible, although authentication
would be the sticky part. AAL works so well with Android Market
because it can use the user's existing account credentials when
validating the purchase (i.e., no username/password required).
Post by westmeadboy
Non-Android Market solutions would be more interesting to me.
I'd like some way to stick an apk on my website and allow users to pay
using paypal. Everything else would work seamlessly...
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
westmeadboy
2010-05-05 18:26:43 UTC
Permalink
Post by dadical
That's a cool use case, but I'm curious about how commonly people sell
apps that way.  Are you doing this because of the limitations of where
Android offers paid apps?  Is it because of the costs involved in
doing transactions on Android Market?
There are lots of apps sold in China that way. Most Android devices in
China don't come with the Android Market and those that do, don't have
access to paid apps.

About 70% of my users are not able to buy apps through the Android
Market.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Streets Of Boston
2010-05-05 14:24:40 UTC
Permalink
My apps haven't reached piracy rates that high (yet). But i'll keep an
eye on your solution :-)
Keep us updated.
Post by dadical
I've spent the last few weeks developing a new tool to stop piracy of
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reaching piracy rates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
strazzere
2010-05-05 17:23:46 UTC
Permalink
Looking at your documentation, I'm assuming your making a call to the
market requesting the state of the application -- if I'm wrong, then
just disregard this information. If I'm right, I guess my only
question is why are you charging so much information for such a
simplistic method?

Don't get me wrong - that method would probably be the best one I've
seen yet on the market, but that's still a nice chunk of money to
charge for it.

-Tim
Post by dadical
I've spent the last few weeks developing a new tool to stop piracy of
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reaching piracy rates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-05 18:09:49 UTC
Permalink
Hey Tim.

You're correct that validating purchase with the market is a key piece
of our solution. Figuring out how exactly to do that using Google's
binary market protocol in an efficient way (try doing everything that
AAL does in a 35 KB library) was a fairly significant dev effort.
What's more, balancing license generation, market API security, cross-
Android version compatibility, customization, etc., and you've got a
nice little chunk of work that we put into this solution.

As for pricing, we'll see what the market will support. In our own
single app Screebl, we "lose" about $100/day in revenue to pirated
apps, so $50 seems cheap. I know that not all of that $100 will
translate into sales, but some percentage will. My point is it
shouldn't take long for AAL to pay for itself.

Dave
Post by strazzere
Looking at your documentation, I'm assuming your making a call to the
market requesting the state of the application -- if I'm wrong, then
just disregard this information. If I'm right, I guess my only
question is why are you charging so much information for such a
simplistic method?
Don't get me wrong - that method would probably be the best one I've
seen yet on the market, but that's still a nice chunk of money to
charge for it.
-Tim
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
strazzere
2010-05-05 18:15:27 UTC
Permalink
Dave,

Glad to hear it's paying for itself already! It's definitely a cleaver
use for the market api - wish I'd thought of it myself. This should
definitely slow down pirates - as it would require direct patching of
the apk file as an intervention.

Using the market api should also alleviate any issues regarding
switching phones etc, as long as that users keeps the same account
activated.

On a side note - it would seam the weak part of your code might be the
licensing system at this point would be whatever you've implemented
for your SDK itself. Obviously you can't rely on the market for that
piece :)

Bravo - and best of luck.

-Tim
Post by dadical
Hey Tim.
You're correct that validating purchase with the market is a key piece
of our solution.  Figuring out how exactly to do that using Google's
binary market protocol in an efficient way (try doing everything that
AAL does in a 35 KB library) was a fairly significant dev effort.
What's more, balancing license generation, market API security, cross-
Android version compatibility, customization, etc., and you've got a
nice little chunk of work that we put into this solution.
As for pricing, we'll see what the market will support.  In our own
single app Screebl, we "lose" about $100/day in revenue to pirated
apps, so $50 seems cheap.   I know that not all of that $100 will
translate into sales, but some percentage will.  My point is it
shouldn't take long for AAL to pay for itself.
Dave
Post by strazzere
Looking at your documentation, I'm assuming your making a call to the
market requesting the state of the application -- if I'm wrong, then
just disregard this information. If I'm right, I guess my only
question is why are you charging so much information for such a
simplistic method?
Don't get me wrong - that method would probably be the best one I've
seen yet on the market, but that's still a nice chunk of money to
charge for it.
-Tim
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Al Sutton
2010-05-05 18:32:28 UTC
Permalink
I'm not sure how many developers will like your licensing terms,
especially the bit which prevents them from creating any form of
licensing solution of their own if they download your app. It's also
worth noting that you're statement preventing reverse-engineer doesn't
hold water in many jurisdictions (e.g. Europe where Article 6 of the
European Software Directive specifically allows it for certain
reasons, have a look about half way down the article at
http://www.aplf.org/mailer/issue113.html).

Don't get me wrong, it's always good to see innovation in this field,
but you might want to ease up on your license a little.

Al.
Post by dadical
Hey Tim.
You're correct that validating purchase with the market is a key piece
of our solution.  Figuring out how exactly to do that using Google's
binary market protocol in an efficient way (try doing everything that
AAL does in a 35 KB library) was a fairly significant dev effort.
What's more, balancing license generation, market API security, cross-
Android version compatibility, customization, etc., and you've got a
nice little chunk of work that we put into this solution.
As for pricing, we'll see what the market will support.  In our own
single app Screebl, we "lose" about $100/day in revenue to pirated
apps, so $50 seems cheap.   I know that not all of that $100 will
translate into sales, but some percentage will.  My point is it
shouldn't take long for AAL to pay for itself.
Dave
Post by strazzere
Looking at your documentation, I'm assuming your making a call to the
market requesting the state of the application -- if I'm wrong, then
just disregard this information. If I'm right, I guess my only
question is why are you charging so much information for such a
simplistic method?
Don't get me wrong - that method would probably be the best one I've
seen yet on the market, but that's still a nice chunk of money to
charge for it.
-Tim
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-05 19:28:35 UTC
Permalink
Thanks for the feedback Al.

My intent wasn't to forbid anyone from creating their own licensing
options after downloading AAL, just that they can't reverse engineer
it, copy it, change the name, etc. I'll look into improving the
wording...

Dave
Post by Al Sutton
I'm not sure how many developers will like your licensing terms,
especially the bit which prevents them from creating any form of
licensing solution of their own if they download your app. It's also
worth noting that you're statement preventing reverse-engineer doesn't
hold water in many jurisdictions (e.g. Europe where Article 6 of the
European Software Directive specifically allows it for certain
reasons, have a look about half way down the article athttp://www.aplf.org/mailer/issue113.html).
Don't get me wrong, it's always good to see innovation in this field,
but you might want to ease up on your license a little.
Al.
Post by dadical
Hey Tim.
You're correct that validating purchase with the market is a key piece
of our solution.  Figuring out how exactly to do that using Google's
binary market protocol in an efficient way (try doing everything that
AAL does in a 35 KB library) was a fairly significant dev effort.
What's more, balancing license generation, market API security, cross-
Android version compatibility, customization, etc., and you've got a
nice little chunk of work that we put into this solution.
As for pricing, we'll see what the market will support.  In our own
single app Screebl, we "lose" about $100/day in revenue to pirated
apps, so $50 seems cheap.   I know that not all of that $100 will
translate into sales, but some percentage will.  My point is it
shouldn't take long for AAL to pay for itself.
Dave
Post by strazzere
Looking at your documentation, I'm assuming your making a call to the
market requesting the state of the application -- if I'm wrong, then
just disregard this information. If I'm right, I guess my only
question is why are you charging so much information for such a
simplistic method?
Don't get me wrong - that method would probably be the best one I've
seen yet on the market, but that's still a nice chunk of money to
charge for it.
-Tim
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
George | SlideME
2010-05-05 20:01:28 UTC
Permalink
Dear dadical,
*
*I salute your initiative and congratulate your efforts in the anti-piracy
conflict. Digital Rights Management was never an easy adventure. Nowadays,
everything can be broken by using different methods. Some fall easier, some
do harder. However, I do not intend to highlight this in your licensing API.

I have few thoughts for your licensing approach, as follows :


1. I as an end-user cannot welcome the disclosure of
accounts/credentials, which by design are required for your module to work
(android.permission.GET_ACCOUNTS, android.permission.USE_CREDENTIALS). Those
in combination with android.permission.INTERNET makes me highly worried
about first at all possible scam. A simple example would be : I write an
application and claim I am using your 'licensing module' so the end-user is
installing my app thanks to trusting you. Then I do whatever I want with
that.
- Based on the above, I as a Vendor can not embrace the permission
enforcement for such disclosure of private data in my products
- What if there is a shared account? This will work on all devices
that have that user credentials?
2. You have reversely-engineered the Android Market Transfer Protocol
and Markup Language for purchase verification.
- Do you have the guarantee that Google will not change the protocol
and your module will not fail?
- You will most likely need to reversely engineer the
protocol/language again and come with an updated version. How
about the time
frame you need to fix this and the clients unable to use the
application?
3. Is your module legit? For how long? What guarantees can you grant?

There could be more but for now this is all that came in my mind.

On the other hand, have you heard of
http://slideme.org/slidelock<https://slideme.org/slidelock> that
can be used today for protecting applications for global distribution where
there is no Android Market?

George
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-05 20:35:26 UTC
Permalink
Hey George.

I have looked at SlideMe and SlideLock. It's great but doesn't fit my
use cases for my apps, nor, I would suspect many others looking for
simple licensing solutions that mesh well with Android Market.

Permissions are a pain, aren't they? It is what it is, and devs will
have to evaluate that when considering AAL. For anyone who wants to
use credentials for a backend system (which is becoming more and more
common) this is the best possible approach. Until Google gives us a
bit more control over the Android Account API, and finer-grained
interface to the permissions capabilities of Android, there's not much
that can be done to improve on this for this particular approach.
Something to consider:

- users NEVER give access to their user id or password, they just
grant the app permission to act using their idenity with the market
for validation of purchase

As for the reverse engineering of the market API, of course Google can
change it. However, they also depend on that API, and have many, many
apps out on different versions of Android that depend on it. I would
expect this to remain relatively stable. Devs that use AAL can
configure their app's policy on what to do if validation fails,
including anything from "lock out" to "nag", so risk to end users can
be controlled.

Thanks for your feedback and contrasting points with SlideMe's
technologies.

Dave
Post by George | SlideME
Dear dadical,
*
*I salute your initiative and congratulate your efforts in the anti-piracy
conflict. Digital Rights Management was never an easy adventure. Nowadays,
everything can be broken by using different methods. Some fall easier, some
do harder. However, I do not intend to highlight this in your licensing API.
   1. I as an end-user cannot welcome the disclosure of
   accounts/credentials, which by design are required for your module to work
   (android.permission.GET_ACCOUNTS, android.permission.USE_CREDENTIALS). Those
   in combination with android.permission.INTERNET makes me highly worried
   about first at all possible scam. A simple example would be : I write an
   application and claim I am using your 'licensing module' so the end-user is
   installing my app thanks to trusting you. Then I do whatever I want with
   that.
      - Based on the above, I as a Vendor can not embrace the permission
      enforcement for such disclosure of private data in my products
      - What if there is a shared account? This will work on all devices
      that have that user credentials?
      2. You have reversely-engineered the Android Market Transfer Protocol
   and Markup Language for purchase verification.
      - Do you have the guarantee that Google will not change the protocol
      and your module will not fail?
         - You will most likely need to reversely engineer the
         protocol/language again and come with an updated version. How
about the time
         frame you need to fix this and the clients unable to use the
application?
      3. Is your module legit? For how long? What guarantees can you grant?
There could be more but for now this is all that came in my mind.
On the other hand, have you heard ofhttp://slideme.org/slidelock<https://slideme.org/slidelock> that
can be used today for protecting applications for global distribution where
there is no Android Market?
George
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Shane Isbell
2010-05-05 20:45:09 UTC
Permalink
Post by dadical
Hey George.
I have looked at SlideMe and SlideLock. It's great but doesn't fit my
use cases for my apps, nor, I would suspect many others looking for
simple licensing solutions that mesh well with Android Market.
Permissions are a pain, aren't they? It is what it is, and devs will
have to evaluate that when considering AAL. For anyone who wants to
use credentials for a backend system (which is becoming more and more
common) this is the best possible approach. Until Google gives us a
bit more control over the Android Account API, and finer-grained
interface to the permissions capabilities of Android, there's not much
that can be done to improve on this for this particular approach.
- users NEVER give access to their user id or password, they just
grant the app permission to act using their idenity with the market
for validation of purchase
As for the reverse engineering of the market API, of course Google can
change it. However, they also depend on that API, and have many, many
apps out on different versions of Android that depend on it. I would
expect this to remain relatively stable. Devs that use AAL can
configure their app's policy on what to do if validation fails,
including anything from "lock out" to "nag", so risk to end users can
be controlled.
Thanks for your feedback and contrasting points with SlideMe's
technologies.
Did SlideME contrast anything with its own technologies? Looks as though
they are just trying to cast some vague doubts on AAL and KeyesLabs, without
understanding of what KeyesLabs is doing or the problem they are trying to
solve.
--
Shane Isbell (Founder of ZappMarket)
http://twitter.com/sisbell
http://twitter.com/zappstore
http://zappmarket.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Marcut Andrei
2010-05-05 21:49:27 UTC
Permalink
Shane,

You must be using your signature for the same? Looks like you "are
just trying to cast some vague doubts on" SlideLock and SlideME [...]
I prefer to stop here.

The feedback from SlideME is valid, and the author welcomes it,
otherwise why would he open such a thread?

Is spreading a word about technologies a crime? And feedback too?

In the end it is all about Google not sustaining their services, while
there is such a big demand...

Cheers,
Markus.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Shane Isbell
2010-05-10 00:23:51 UTC
Permalink
Post by Marcut Andrei
Shane,
You must be using your signature for the same? Looks like you "are
just trying to cast some vague doubts on" SlideLock and SlideME [...]
I prefer to stop here.
I didn't say a word about SlideLock, so your point is completely off target.
As members of this community know, I come out and say what I mean. If I had
a problem with SlideLock, I would have said it. Do you do work for SlideME
by the way?

Thanks,
--
Shane Isbell (Founder of ZappMarket)
http://twitter.com/sisbell
http://twitter.com/zappstore
http://zappmarket.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Shane Isbell
2010-05-10 01:06:56 UTC
Permalink
Post by Shane Isbell
Post by Marcut Andrei
Shane,
You must be using your signature for the same? Looks like you "are
just trying to cast some vague doubts on" SlideLock and SlideME [...]
I prefer to stop here.
I didn't say a word about SlideLock, so your point is completely off
target. As members of this community know, I come out and say what I mean.
If I had a problem with SlideLock, I would have said it. Do you do work for
SlideME by the way?
I checked. Markus you do work for SlideME. You should have disclosed this
information.
--
Shane Isbell (Founder of ZappMarket)
http://twitter.com/sisbell
http://twitter.com/zappstore
http://zappmarket.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Nathan
2010-05-05 23:46:07 UTC
Permalink
I like the idea. And the licensing price isn't bad if it meets ones
needs.

I'm looking myself for a solution that will unlock a time limited
version. It's been discussed how some are using a license key app to
unlock a demo app. I suppose this scheme could work if you put the
purchase verification into the the license key app.

It's worth asking, has anyone used the Google Checkout API for
purchase verification? I wanted to know before I explore that too
far.

Nathan
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
a1
2010-05-06 07:36:22 UTC
Permalink
Post by dadical
Hey Tim.
You're correct that validating purchase with the market is a key piece
of our solution.  Figuring out how exactly to do that using Google's
binary market protocol in an efficient way (try doing everything that
AAL does in a 35 KB library) was a fairly significant dev effort.
What's more, balancing license generation, market API security, cross-
Android version compatibility, customization, etc., and you've got a
nice little chunk of work that we put into this solution.
As for pricing, we'll see what the market will support.  In our own
single app Screebl, we "lose" about $100/day in revenue to pirated
apps, so $50 seems cheap.   I know that not all of that $100 will
translate into sales, but some percentage will.  My point is it
shouldn't take long for AAL to pay for itself.
Are you kidding me? You used code from this project:
http://code.google.com/p/android-market-api/ [you even left the same
UA spoof], and whats more important you are trying to charge for
solution that uses undocuemented google APIs (hence illegal), which
not only may change at any time but also using it may be legitimate
reason to block app from android market.

--
Bart Janusz (Beepstreet)
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-08 02:34:21 UTC
Permalink
I most certainly did NOT use code from that project. I rolled my own,
thank you very much. Take a look at that project. It's over 600k.
AAL is 36k. I wrote my own implementation of ProtoBuf to pull this
off, and that is no small undertaking. I did initially consider using
that project, but came to the conclusion fairly quickly that it was
just too fat. There is not a single piece of code from that project
in AAL.
Post by dadical
Hey Tim.
You're correct that validating purchase with the market is a key piece
of our solution.  Figuring out how exactly to do that using Google's
binary market protocol in an efficient way (try doing everything that
AAL does in a 35 KB library) was a fairly significant dev effort.
What's more, balancing license generation, market API security, cross-
Android version compatibility, customization, etc., and you've got a
nice little chunk of work that we put into this solution.
As for pricing, we'll see what the market will support.  In our own
single app Screebl, we "lose" about $100/day in revenue to pirated
apps, so $50 seems cheap.   I know that not all of that $100 will
translate into sales, but some percentage will.  My point is it
shouldn't take long for AAL to pay for itself.
Are you kidding me? You used code from this project:http://code.google.com/p/android-market-api/[you even left the same
UA spoof], and whats more important you are trying to charge for
solution that uses undocuemented google APIs (hence illegal), which
not only may change at any time but also using it may be legitimate
reason to block app from android market.
--
Bart Janusz (Beepstreet)
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Edward Falk
2010-05-06 06:22:38 UTC
Permalink
Intriguing. I was wondering if maybe you could add a blurb to your
web site explaining in simple terms how it works. E.g. "when the API
is called, it communicates with the Android Market to verify your key;
once verified, the verification code is remembered so that no further
calls to the market are needed." Or perhaps instead of "Android
Market", it's "our servers". Or whatever. How *does* it work?

And if it's your servers (or even the Android Market), what happens to
users when the servers go down? This is the biggest problem with any
kind of server-based DRM. Do they lose their apps? Is there an
alternative recovery plan?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
westmeadboy
2010-05-06 07:22:45 UTC
Permalink
How about users who go from using a paid-app-country sim card to a non-
paid-app-country sim card? In such a case, the app is no longer
visible on the Market?

I guess your answer to this would be its up to the developer to decide
how to handle such a license check failure but in reality the user
would demand that the app still works and so the dev would be pretty
much forced on the issue: i.e. validate once straight after install
and then future fails are allowed.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Tomáš Hubálek
2010-05-06 07:40:09 UTC
Permalink
I believe that every DRM is something that IMHO Google HAVE to SOLVE. Every
independent solution is just a hack that may stop working anytime Google
wants. Sorry.

Tom
Post by westmeadboy
How about users who go from using a paid-app-country sim card to a non-
paid-app-country sim card? In such a case, the app is no longer
visible on the Market?
I guess your answer to this would be its up to the developer to decide
how to handle such a license check failure but in reality the user
would demand that the app still works and so the dev would be pretty
much forced on the issue: i.e. validate once straight after install
and then future fails are allowed.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
--
-----------------------------------------------------------------------------------------------
Tom Hubalek (***@gmail.com), http://blog.hubalek.net/
http://facebook.com/thubalek, http://twitter.com/thubalek
http://www.linkedin.com/in/thubalek
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
a1
2010-05-06 07:47:33 UTC
Permalink
It uses this project: http://code.google.com/p/android-market-api/,
you can do same, just note that in proto purchased field is missing,
but you can simply extend App message in market.proto, purchased field
has id 34.

--
Regards,
Bart Janusz (Beepstreet)
Intriguing.  I was wondering if maybe you could add a blurb to your
web site explaining in simple terms how it works.  E.g. "when the API
is called, it communicates with the Android Market to verify your key;
once verified, the verification code is remembered so that no further
calls to the market are needed."  Or perhaps instead of "Android
Market", it's "our servers".  Or whatever.  How *does* it work?
And if it's your servers (or even the Android Market), what happens to
users when the servers go down?  This is the biggest problem with any
kind of server-based DRM.  Do they lose their apps?  Is there an
alternative recovery plan?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
strazzere
2010-05-06 19:18:06 UTC
Permalink
As you could also note - there is nothing in Android-Market-Api's
license against this type of use.

Whether he used their code or not - I'm not sure, but basing it off of
the User Agent is sort of a big leap of conclusions. That user agent
is pretty common on the android devices ;)

It's not as if the user-agent is "Android-Market-Api-v1".

-Tim
It uses this project:http://code.google.com/p/android-market-api/,
you can do same, just note that in proto purchased field is missing,
but you can simply extend App message in market.proto, purchased field
has id 34.
--
Regards,
Bart Janusz (Beepstreet)
Intriguing.  I was wondering if maybe you could add a blurb to your
web site explaining in simple terms how it works.  E.g. "when the API
is called, it communicates with the Android Market to verify your key;
once verified, the verification code is remembered so that no further
calls to the market are needed."  Or perhaps instead of "Android
Market", it's "our servers".  Or whatever.  How *does* it work?
And if it's your servers (or even the Android Market), what happens to
users when the servers go down?  This is the biggest problem with any
kind of server-based DRM.  Do they lose their apps?  Is there an
alternative recovery plan?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
a1
2010-05-06 20:15:03 UTC
Permalink
Post by strazzere
As you could also note - there is nothing in Android-Market-Api's
license against this type of use.
Yes there is, google APIs services in point 5.3 states that you are
not allowed to use undocumented APIs:

"5.3 You agree not to access (or attempt to access) any of the
Services by any means other than through the interface that is
provided by Google, unless you have been specifically allowed to do so
in a separate agreement with Google. You specifically agree not to
access (or attempt to access) any of the Services through any
automated means (including use of scripts or web crawlers) and shall
ensure that you comply with the instructions set out in any robots.txt
file present on the Services."

moreover in point 5.5:

"5.5 Unless you have been specifically permitted to do so in a
separate agreement with Google, you agree that you will not reproduce,
duplicate, copy, sell, trade or resell the Services for any purpose."
Post by strazzere
Whether he used their code or not - I'm not sure, but basing it off of
the User Agent is sort of a big leap of conclusions. That user agent
is pretty common on the android devices ;)
No, each device uses different UA string when executing market request
(it contains device name and build id), therefore there is a lot of
possible combination that can be used. Also library that this guy try
to sell is based on google's protobuf, which android market api
project also uses.

Don't get me wrong I have game on android market, it features online
highscore and each online highscore entry stores AID (for
identification purposes), with 10k legitimate copies I've counted 16k
distinct AIDs in database that means that at lease 6k (probably more
as not everybody uses highscore) copies were pirated, so I'd really
welcome some form of DRM, but charging $300 for lib that reuses some
open source project (without mentioning it) and which legality is at
least disputable (due to usage of undocumented google service) is kind
of shady.

--
Regards,
Bart Janusz (Beepstreet)
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
strazzere
2010-05-06 20:25:57 UTC
Permalink
Post by a1
Yes there is, google APIs services in point 5.3 states that you are
Ah, I'm talking specifically about the google code project "android-
market-api".
Post by a1
No, each device uses different UA string when executing market request
(it contains device name and build id), therefore there is a lot of
possible combination that can be used. Also library that this guy try
to sell is based on google's protobuf, which android market api
project also uses.
I know and understand that - but that's the user-agent tossed around
online all the time ;)
Post by a1
Don't get me wrong I have game on android market, it features online
highscore and each online highscore entry stores AID (for
identification purposes), with 10k legitimate copies I've counted 16k
distinct AIDs in database that means that at lease 6k (probably more
as not everybody uses highscore) copies were pirated, so I'd really
welcome some form of DRM, but charging $300 for lib that reuses some
open source project (without mentioning it) and which legality is at
least disputable (due to usage of undocumented google service) is kind
of shady.
I've already agreed it's pretty expensive for the idea that it is.
There isn't really any proof that it is reusing the code - and even if
it is, it isn't required by that license to disclose it. They should -
if it is based off of it, but well, that's the world. There are tons
of open source projects and even android specific ones people rip off
and never even mention where the code comes from.

As a side note to the legality of this DRM (i.e. using undocumented
google service). I don't think this is a blip on googles radar - don't
you think they'd have shut down the google-code project you think it's
based off of first?

My 2 cents - I'm not disagreeing with you, I think it's a big
overcharge too :)

-Tim
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
appforce.org
2010-05-06 21:12:02 UTC
Permalink
I don't think it's overcharge, BUT I think excusing for 'high' cost
with high piracy doesn't sound fair. It sounds like piracy would help
the sales of your product.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
TreKing
2010-05-06 21:26:24 UTC
Permalink
It sounds like piracy would help the sales of your product.
Care to elaborate on this golden nugget?

-------------------------------------------------------------------------------------------------
TreKing - Chicago transit tracking app for Android-powered devices
http://sites.google.com/site/rezmobileapps/treking
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Dan Sherman
2010-05-06 21:29:04 UTC
Permalink
I imagine he means: Without any piracy, dadical wouldn't have anyone to sell
his anti-piracy solution to. With more rampant piracy, he'll have a larger
potential customer base....

- Dan
Post by TreKing
It sounds like piracy would help the sales of your product.
Care to elaborate on this golden nugget?
-------------------------------------------------------------------------------------------------
TreKing - Chicago transit tracking app for Android-powered devices
http://sites.google.com/site/rezmobileapps/treking
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
TreKing
2010-05-06 21:32:39 UTC
Permalink
Post by Dan Sherman
I imagine he means: Without any piracy, dadical wouldn't have anyone to
sell his anti-piracy solution to. With more rampant piracy, he'll have a
larger potential customer base....
Ah, that makes much more sense than "having your app pirated helps your app
sales", which is what I got from reading that statement. I was confused =P
Don't mind me - carry on.

-------------------------------------------------------------------------------------------------
TreKing - Chicago transit tracking app for Android-powered devices
http://sites.google.com/site/rezmobileapps/treking
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Lee
2010-05-07 10:09:01 UTC
Permalink
As an aside, why don't google provide their own official API to allow
apps to check with the market whether they've been purchased or not ?

Perhaps it's the 'any security which can be conceivably broken is
useless' line ?

I would be happy with any protection mechanism which forced my apk to
be hacked in order to install it on a non-rooted phone, instead of the
current 'just copy it over, it'll work fine' situation.
I don't need 100% security.

Lee
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-08 02:54:23 UTC
Permalink
Hello Lee.

Regardless of whether anyone purchases AAL, it has been a worthwhile
investment for us. It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL. Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download. I have a feeling that the open source market api is
involved in that scenario for sure.

As you've said, AAL is not fail proof, but I continue to improve it,
and my latest releases will make it even more challenging to reverse
engineer. AAL is a big stumbling block, but a market API alone is not
worthy of a Google anti-piracy solution. They will need to do the
same as AAL but also go much further to guarantee that apks aren't
modified (e.g., cracked). One way to to do this would be to have the
platform calculate a hash of the installed apk and validate that
against what was purchased on the market. This is going to require
deep integration in the platform and the market to kick it in the arse
for good.

Loving the feedback!
Post by Lee
As an aside, why don't google provide their own official API to allow
apps to check with the market whether they've been purchased or not ?
Perhaps it's the 'any security which can be conceivably broken is
useless' line ?
I would be happy with any protection mechanism which forced my apk to
be hacked in order to install it on a non-rooted phone, instead of the
current 'just copy it over, it'll work fine' situation.
I don't need 100% security.
Lee
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
MobDev
2010-05-10 07:55:15 UTC
Permalink
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL. Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."

I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app using AAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-10 15:06:39 UTC
Permalink
That argument assumes that I don't respond to those cracks with
improvements to AAL that will make it more difficult! :) Also, each
app will need to be cracked individually, and I'm trying to work out
some ways to make that a job that isn't cookie-cutter. The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.

This is fascinating stuff, but very, very non-lucrative. I don't
really want to engage in this game, but I don't see an alternative
until it gets solved at the platform level.

Given the lack of commercial interest (and the prodding of several
smart devs), I've considered opening this up, but I'm not sure how to
do that without it simply lowering the barrier for pirates.
Post by MobDev
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL.  Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."
I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app using AAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
niko20
2010-05-10 20:24:59 UTC
Permalink
Well I will say one thing, if it was opened up, that would allow each
dev to make small code changes, so it would never be cookie cutter
then...however, I am not against that you are trying to make some
income from it, I mean you still did have to do the work.


-niko
Post by dadical
That argument assumes that I don't respond to those cracks with
improvements to AAL that will make it more difficult! :)  Also, each
app will need to be cracked individually, and I'm trying to work out
some ways to make that a job that isn't cookie-cutter.  The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
This is fascinating stuff, but very, very non-lucrative.  I don't
really want to engage in this game, but I don't see an alternative
until it gets solved at the platform level.
Given the lack of commercial interest (and the prodding of several
smart devs), I've considered opening this up, but I'm not sure how to
do that without it simply lowering the barrier for pirates.
Post by MobDev
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL.  Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."
I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app using AAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
niko20
2010-05-10 20:29:16 UTC
Permalink
Actually I think another pretty good solution is to simply put a date
lock on the app, sort of how Astro works.

What you do is make the app expire at a certain date. Before that date
you release the next version with another lock moving forward. Maybe
try a 2 or 3 month lock. Then when it does it simply asks the user to
go to the market and update the app. If they are legit customers,
that's easy, they just go an update it. But if they are pirated copies
they wont be able to easily update it.

-niko
Post by niko20
Well I will say one thing, if it was opened up, that would allow each
dev to make small code changes, so it would never be cookie cutter
then...however, I am not against that you are trying to make some
income from it, I mean you still did have to do the work.
-niko
Post by dadical
That argument assumes that I don't respond to those cracks with
improvements to AAL that will make it more difficult! :)  Also, each
app will need to be cracked individually, and I'm trying to work out
some ways to make that a job that isn't cookie-cutter.  The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
This is fascinating stuff, but very, very non-lucrative.  I don't
really want to engage in this game, but I don't see an alternative
until it gets solved at the platform level.
Given the lack of commercial interest (and the prodding of several
smart devs), I've considered opening this up, but I'm not sure how to
do that without it simply lowering the barrier for pirates.
Post by MobDev
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL.  Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."
I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app using AAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
westmeadboy
2010-05-10 20:40:32 UTC
Permalink
That works in most cases but not in a significant number of other
cases.

Consider users who go on an extended holiday to a non-paid app
country. Astro works partly because its free.

But then there is also the situation where you go on holiday and are
using your phone offline. Then all of a sudden certain apps expire and
you're faced with either expensive roaming charges (to update) or
being without your favourite app(s).

Also remember that in China, Google Sync (and therefore Android
Market) is often blocked.
Post by niko20
Actually I think another pretty good solution is to simply put a date
lock on the app, sort of how Astro works.
What you do is make the app expire at a certain date. Before that date
you release the next version with another lock moving forward. Maybe
try a 2 or 3 month lock. Then when it does it simply asks the user to
go to the market and update the app. If they are legit customers,
that's easy, they just go an update it. But if they are pirated copies
they wont be able to easily update it.
-niko
Post by niko20
Well I will say one thing, if it was opened up, that would allow each
dev to make small code changes, so it would never be cookie cutter
then...however, I am not against that you are trying to make some
income from it, I mean you still did have to do the work.
-niko
Post by dadical
That argument assumes that I don't respond to those cracks with
improvements to AAL that will make it more difficult! :)  Also, each
app will need to be cracked individually, and I'm trying to work out
some ways to make that a job that isn't cookie-cutter.  The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
This is fascinating stuff, but very, very non-lucrative.  I don't
really want to engage in this game, but I don't see an alternative
until it gets solved at the platform level.
Given the lack of commercial interest (and the prodding of several
smart devs), I've considered opening this up, but I'm not sure how to
do that without it simply lowering the barrier for pirates.
Post by MobDev
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL.  Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."
I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app using AAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
strazzere
2010-05-10 20:46:40 UTC
Permalink
Without introducing any new content - it makes it a very desirable
target for patching. A simple patch will make sure the date check
doesn't matter, and if you aren't introducing any new functionality,
then there isn't a real reason for the user to upgrade.

IMHO your just asking people to get fed up with the fake updates and
patch it.

-Tim
Post by niko20
Actually I think another pretty good solution is to simply put a date
lock on the app, sort of how Astro works.
What you do is make the app expire at a certain date. Before that date
you release the next version with another lock moving forward. Maybe
try a 2 or 3 month lock. Then when it does it simply asks the user to
go to the market and update the app. If they are legit customers,
that's easy, they just go an update it. But if they are pirated copies
they wont be able to easily update it.
-niko
Post by niko20
Well I will say one thing, if it was opened up, that would allow each
dev to make small code changes, so it would never be cookie cutter
then...however, I am not against that you are trying to make some
income from it, I mean you still did have to do the work.
-niko
Post by dadical
That argument assumes that I don't respond to those cracks with
improvements to AAL that will make it more difficult! :)  Also, each
app will need to be cracked individually, and I'm trying to work out
some ways to make that a job that isn't cookie-cutter.  The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
This is fascinating stuff, but very, very non-lucrative.  I don't
really want to engage in this game, but I don't see an alternative
until it gets solved at the platform level.
Given the lack of commercial interest (and the prodding of several
smart devs), I've considered opening this up, but I'm not sure how to
do that without it simply lowering the barrier for pirates.
Post by MobDev
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumvent AAL.  Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."
I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app using AAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
keyeslabs
2010-06-17 19:05:09 UTC
Permalink
AAL has now been open-sourced. Find details here: http://bit.ly/coz0yB.
Post by niko20
Well I will say one thing, if it was opened up, that would allow each
dev to make small code changes, so it would never be cookie cutter
then...however, I am not against that you are trying to make some
income from it, I mean you still did have to do the work.
-niko
Post by dadical
That argument assumes that I don't respond to those cracks with
improvements toAALthat will make it more difficult! :)  Also, each
app will need to be cracked individually, and I'm trying to work out
some ways to make that a job that isn't cookie-cutter.  The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
This is fascinating stuff, but very, very non-lucrative.  I don't
really want to engage in this game, but I don't see an alternative
until it gets solved at the platform level.
Given the lack of commercial interest (and the prodding of several
smart devs), I've considered opening this up, but I'm not sure how to
do that without it simply lowering the barrier for pirates.
Post by MobDev
" It took several days (almost a week) for crackers
to decompile Screebl Pro and find a way to circumventAAL.  Typically
it takes about 90 secs from the time that we publish to the market for
the various warez sites to start tweeting the location of the
download."
I was wondering, after the first crack-run they obviously will have
devised a crack-method, which means that every other app usingAAL
will be cracked within 90 seconds till a new version is released... A
week of cracking will only be the case during the first attempt...
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
String
2010-06-17 19:39:05 UTC
Permalink
AAL has now been open-sourced.  Find details here:  http://bit.ly/coz0yB.
Cool. Thanks for sharing it.

Are you still having good luck using AAL with your own app(s)? Any
downsides you've found?

String
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
keyeslabs
2010-06-17 20:31:22 UTC
Permalink
Biggest issues that I've seen for my own apps (and those other brave
souls who use AAL) have been related to legitimate users that somehow
can't validate their purchase. For example:

1. user buys app on marke using a 2.0-based phone. validation happens
just fine.
2. user backs up app, flashes rom to as-of-yet unreleased 2.2, and
restores app
3. Upon startup of the app on the newly-flashed phone, AAL properly
detects the missing license.
4. AAL fails validation, since 2.2-based devices can't "see" paid apps
on the market since Google hasn't registered that release in the
market database.

Other fringe scenarios similar to this. When I deployed AAL into my
apps, I had a few loud complainers that has tapered off now and I
don't really have any serious problems. I now get a lot of emails
from people in countries that can't buy from Android market.

Overall, AAL seems to be working quite well.

Lately I've been wondering if there's a way that I can offer the user
an "alternative" mechanism for purchasing the pirated app. For
example, I upload to Android Market, pirates post on download boards,
others download, and then when validation fails offer to let them buy
from PayPal and license things that way. I don't think that would
break any of the Android Market rules (since the pirated version isn't
being "distributed" by the market -- it's being distributed by a
pirate board), and it sure would open up distribution to markets that
Google doesn't currently serve.

Dave
Post by String
AALhas now been open-sourced.  Find details here:  http://bit.ly/coz0yB.
Cool. Thanks for sharing it.
Are you still having good luck usingAALwith your own app(s)? Any
downsides you've found?
String
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Al Sutton
2010-06-18 07:45:33 UTC
Permalink
Dave,

Would you be interested in working with us at AndAppStore to offer an
alternative purchase location?
From your code I can see that we could create a LicenseManagerImpl
which interfaces into our purchase checking system to cover the
license management aspect, and we accept payments via PayPal so it
looks like a good fit. I don't really want to spend time doing it if
you're not interested in incorporating the code into the project
because we don't want to create fork your code base just to support
us.

What do you think?

Al.
Biggest issues that I've seen for my own apps (and those other brave
souls who use AAL) have been related to legitimate users that somehow
1. user buys app on marke using a 2.0-based phone.  validation happens
just fine.
2. user backs up app, flashes rom to as-of-yet unreleased 2.2, and
restores app
3. Upon startup of the app on the newly-flashed phone, AAL properly
detects the missing license.
4. AAL fails validation, since 2.2-based devices can't "see" paid apps
on the market since Google hasn't registered that release in the
market database.
Other fringe scenarios similar to this.  When I deployed AAL into my
apps, I had a few loud complainers that has tapered off now and I
don't really have any serious problems.  I now get a lot of emails
from people in countries that can't buy from Android market.
Overall, AAL seems to be working quite well.
Lately I've been wondering if there's a way that I can offer the user
an "alternative" mechanism for purchasing the pirated app.  For
example, I upload to Android Market, pirates post on download boards,
others download, and then when validation fails offer to let them buy
from PayPal and license things that way.  I don't think that would
break any of the Android Market rules (since the pirated version isn't
being "distributed" by the market -- it's being distributed by a
pirate board), and it sure would open up distribution to markets that
Google doesn't currently serve.
Dave
Post by String
AALhas now been open-sourced.  Find details here:  http://bit.ly/coz0yB.
Cool. Thanks for sharing it.
Are you still having good luck usingAALwith your own app(s)? Any
downsides you've found?
String
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
keyeslabs
2010-06-18 18:01:29 UTC
Permalink
I would be interested in discussing this, Al. Assuming that our use
cases align and that your APIs provide necessary functionality, it
should work quite nicely.

As for the code base, I split LicenseManager and LicenseManagerImpl
primarily to facilitate obfuscation (I don't obfuscate LicenseManager
and a few other classes in the public API, but the remainder of the
classes get scrambled up during the build process). There will be
some level of refactoring that will need to be done in
LicenseManagerImpl to support pluggable purchase verification
providers, but this shouldn't be too difficult.

Let's take this into the AAL message group to discuss further.

Dave
Post by Al Sutton
Dave,
Would you be interested in working with us at AndAppStore to offer an
alternative purchase location?
From your code I can see that we could create a LicenseManagerImpl
which interfaces into our purchase checking system to cover the
license management aspect, and we accept payments via PayPal so it
looks like a good fit. I don't really want to spend time doing it if
you're not interested in incorporating the code into the project
because we don't want to create fork your code base just to support
us.
What do you think?
Al.
Post by keyeslabs
Biggest issues that I've seen for my own apps (and those other brave
souls who use AAL) have been related to legitimate users that somehow
1. user buys app on marke using a 2.0-based phone.  validation happens
just fine.
2. user backs up app, flashes rom to as-of-yet unreleased 2.2, and
restores app
3. Upon startup of the app on the newly-flashed phone, AAL properly
detects the missing license.
4. AAL fails validation, since 2.2-based devices can't "see" paid apps
on the market since Google hasn't registered that release in the
market database.
Other fringe scenarios similar to this.  When I deployed AAL into my
apps, I had a few loud complainers that has tapered off now and I
don't really have any serious problems.  I now get a lot of emails
from people in countries that can't buy from Android market.
Overall, AAL seems to be working quite well.
Lately I've been wondering if there's a way that I can offer the user
an "alternative" mechanism for purchasing the pirated app.  For
example, I upload to Android Market, pirates post on download boards,
others download, and then when validation fails offer to let them buy
from PayPal and license things that way.  I don't think that would
break any of the Android Market rules (since the pirated version isn't
being "distributed" by the market -- it's being distributed by a
pirate board), and it sure would open up distribution to markets that
Google doesn't currently serve.
Dave
Post by String
AALhas now been open-sourced.  Find details here:  http://bit.ly/coz0yB.
Cool. Thanks for sharing it.
Are you still having good luck usingAALwith your own app(s)? Any
downsides you've found?
String
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Raymond Ingles
2010-05-10 16:04:37 UTC
Permalink
Post by dadical
 The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
It's not clear that piracy translates into lost sales:

http://blog.wolfire.com/2010/05/Another-view-of-game-piracy

"iPhone game developers have also found that around 80% of their users
are running pirated copies of their game (using jailbroken phones)...
[but] The highest estimate I've seen is that 10% of worldwide iPhones
are jailbroken... The answer is simple -- the average pirate downloads
a lot more games than the average customer buys. This means that even
though games see that 80% of their copies are pirated, only 10% of
their potential customers are pirates, which means they are losing at
most 10% of their sales."

Apparently the people who pirate, pirate a *lot*. And, conversely, the
people who *don't* pirate simply don't put as many apps on their
devices. Be very careful that, in your understandable zeal to fight
pirates, you don't penalize the legitimate users. Make the app too
irritating and people won't buy it at all.

In other words, if you're not careful, the *paying* customers can
conclude "it's not worth the trouble for an app that is only a few
bucks."
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-18 21:07:15 UTC
Permalink
Excellent points. This is why in my requirements for AAL, I started
with the assumption that PAYING customers should:

- never have to type in a password
- never have to type in a license key
- only have to generate a valid license once (well, actually twice --
initially and then again after the 24 hr refund period), and this
generation should be transparent and automatic

As for pirates, the experience is configurable, but in my apps, I
never lock them out, just "nag" them each time that they run my app.

Since deploying AAL in my app, about 50% of the installs have properly
validated their purchase and generated a license. The other 50% did
not properly validate (meaning that they potentially stole it) and
after some number of failures are politely being invited to purchase
for 15 seconds each time that they start.

Sales are up.

Dave
Post by Raymond Ingles
Post by dadical
 The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
http://blog.wolfire.com/2010/05/Another-view-of-game-piracy
"iPhone game developers have also found that around 80% of their users
are running pirated copies of their game (using jailbroken phones)...
[but] The highest estimate I've seen is that 10% of worldwide iPhones
are jailbroken... The answer is simple -- the average pirate downloads
a lot more games than the average customer buys. This means that even
though games see that 80% of their copies are pirated, only 10% of
their potential customers are pirates, which means they are losing at
most 10% of their sales."
Apparently the people who pirate, pirate a *lot*. And, conversely, the
people who *don't* pirate simply don't put as many apps on their
devices. Be very careful that, in your understandable zeal to fight
pirates, you don't penalize the legitimate users. Make the app too
irritating and people won't buy it at all.
In other words, if you're not careful, the *paying* customers can
conclude "it's not worth the trouble for an app that is only a few
bucks."
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Maps.Huge.Info (Maps API Guru)
2010-05-21 05:18:22 UTC
Permalink
Pardon the direct contact.

I was at Google IO these past two days and during one of the sessions,
a "Fireside chat" (http://code.google.com/events/io/2010/sessions/
fireside-chat-android-team.html), I asked the Android team if the
market API was going to be opened up, on the web side and the device
too. I mentioned your licensing scheme, although I didn't say any
names. The answer, although unsatisfying is still interesting.

I hope you don't mind mentioning the topic, I'm sure some of them have
followed this thread anyway.

-John

p.s. IO was great, got a free HTC EVO.
Excellent points.  This is why in my requirements for AAL, I started
- never have to type in a password
- never have to type in a license key
- only have to generate a valid license once (well, actually twice --
initially and then again after the 24 hr refund period), and this
generation should be transparent and automatic
As for pirates, the experience is configurable, but in my apps, I
never lock them out, just "nag" them each time that they run my app.
Since deploying AAL in my app, about 50% of the installs have properly
validated their purchase and generated a license.  The other 50% did
not properly validate (meaning that they potentially stole it) and
after some number of failures are politely being invited to purchase
for 15 seconds each time that they start.
Sales are up.
Dave
Post by Raymond Ingles
Post by dadical
 The point here
is to get this past the pain threshold where it won't be worth the
trouble for an app that is only a few bucks.
http://blog.wolfire.com/2010/05/Another-view-of-game-piracy
"iPhone game developers have also found that around 80% of their users
are running pirated copies of their game (using jailbroken phones)...
[but] The highest estimate I've seen is that 10% of worldwide iPhones
are jailbroken... The answer is simple -- the average pirate downloads
a lot more games than the average customer buys. This means that even
though games see that 80% of their copies are pirated, only 10% of
their potential customers are pirates, which means they are losing at
most 10% of their sales."
Apparently the people who pirate, pirate a *lot*. And, conversely, the
people who *don't* pirate simply don't put as many apps on their
devices. Be very careful that, in your understandable zeal to fight
pirates, you don't penalize the legitimate users. Make the app too
irritating and people won't buy it at all.
In other words, if you're not careful, the *paying* customers can
conclude "it's not worth the trouble for an app that is only a few
bucks."
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Ivan Greene
2010-05-21 06:14:48 UTC
Permalink
for me, I am developing an app that I think will be heavily pirated.
my idea to stop that is to require the user to update with each update
I make (maybe once every 2 weeks or so), which would require them to
buy it.
the app needs to connect to my server anyway, so if it connects with
an older version number, it tells the user to update. simple!
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Tomáš Hubálek
2010-05-21 06:48:36 UTC
Permalink
I think that this is also way. But some users hate updates (I got feedback
that my app has too often updates ;-) ).

I still think that Google should provide API for programmatical verification
whether user bought given copy or not.

Tom
Post by Ivan Greene
for me, I am developing an app that I think will be heavily pirated.
my idea to stop that is to require the user to update with each update
I make (maybe once every 2 weeks or so), which would require them to
buy it.
the app needs to connect to my server anyway, so if it connects with
an older version number, it tells the user to update. simple!
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
--
-----------------------------------------------------------------------------------------------
Tom Hubalek (***@gmail.com), http://blog.hubalek.net/
http://facebook.com/thubalek, http://twitter.com/thubalek
http://www.linkedin.com/in/thubalek
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
TreKing
2010-05-21 14:57:32 UTC
Permalink
I make (maybe once every 2 weeks or so), which would require them to buy
it.
This wouldn't require them to buy it if they pirated it to begin with - it
would just require them to pirate it again.
Might be enough of nuisance to encourage some people to buy, but won't solve
your problem completely.

-------------------------------------------------------------------------------------------------
TreKing - Chicago transit tracking app for Android-powered devices
http://sites.google.com/site/rezmobileapps/treking
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Maps.Huge.Info (Maps API Guru)
2010-05-06 21:50:42 UTC
Permalink
I suggest that before anyone implements this licensing scheme, they
consider carefully that it does in fact break the terms agreement in
that it uses an unpublished and private API to access the Android
market servers.

With that said, I would also say that it's highly likely that Google
will make the market API public soon, perhaps as soon as this month
during Google IO. Keep that in mind before putting the cart before the
horse with this well intentioned but perhaps premature licensing
scheme.

-John Coryat
It uses this project:http://code.google.com/p/android-market-api/,
you can do same, just note that in proto purchased field is missing,
but you can simply extend App message in market.proto, purchased field
has id 34.
--
Regards,
Bart Janusz (Beepstreet)
Intriguing.  I was wondering if maybe you could add a blurb to your
web site explaining in simple terms how it works.  E.g. "when the API
is called, it communicates with the Android Market to verify your key;
once verified, the verification code is remembered so that no further
calls to the market are needed."  Or perhaps instead of "Android
Market", it's "our servers".  Or whatever.  How *does* it work?
And if it's your servers (or even the Android Market), what happens to
users when the servers go down?  This is the biggest problem with any
kind of server-based DRM.  Do they lose their apps?  Is there an
alternative recovery plan?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-08 03:14:32 UTC
Permalink
You've pretty much got the major parts down. We validate with Google
market servers using a hand-rolled and highly-efficient implementation
of Google's binary protobuf protocol. Once the hard part (validation
of purchase) is done, a unique key that is tied to user, phone, and
app is generated, which is valid for a bit more than 24 hours. After
that 24 hour period, purchase validation is done again, and then a
"permanent" key is generated that doesn't require communication with
the server again for that installation of the app on that phone.

If the user changes phones, the same process will repeat. Successful
licensing requires visibility of the app from the device on Android
market, given the device id, build number and other criteria.

AAL makes efforts to never send a request to the server more than once
every 30 seconds.

Failure policy is up to the developer. I suggest at this point using
a "nag" policy, which won't lock the user out, but forces them to
stare at a "buy my app" invitation for some configurable period of
time. As with all of my software however, things like this are
configurable.

There are also other features that I'm not going to cover here that
make an attempt detect cracking, and disable the app at some random
time in the future if it is detected. I'm going to be iterating on
this stuff over the next few weeks as the evil-doers take swings at
AAL.

Hope that helps! I'm going to be scrambling to write docs this
weekend. At this point there seems to be lots of interest, but little
willingness to bundle in apps. I suppose I understand that given the
newness and the lack of detailed information.

Dave
Intriguing.  I was wondering if maybe you could add a blurb to your
web site explaining in simple terms how it works.  E.g. "when the API
is called, it communicates with the Android Market to verify your key;
once verified, the verification code is remembered so that no further
calls to the market are needed."  Or perhaps instead of "Android
Market", it's "our servers".  Or whatever.  How *does* it work?
And if it's your servers (or even the Android Market), what happens to
users when the servers go down?  This is the biggest problem with any
kind of server-based DRM.  Do they lose their apps?  Is there an
alternative recovery plan?
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Stephen Lebed
2010-05-09 20:28:02 UTC
Permalink
I'm wondering how you know the piracy rate of your app. Is there a
way to track that? I'd love to know if my apps are being pirated or
not.
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
dadical
2010-05-09 23:24:22 UTC
Permalink
That's easy. Install flurry or the likes, compare reported daily new
installs to what you see reported by Google checkout.
I'm wondering how you know the piracy rate of your app.  Is there a
way to track that?  I'd love to know if my apps are being pirated or
not.
I've spent the last few weeks developing a new tool to stoppiracyof
my paid apps on the Android Market.  In a nutshell, licensing is tied
directly to purchase verification.  There is no license server to
manage, no key for the user to enter.  User experience is basically
uninterrupted from normal application purchase.
I'm excited about this, as my paid apps are now reachingpiracyrates
as high as 90% on some days,with the average somewhere around 75%.
For pirated apps, purchase verification (and subsequently licensing)
will fail after a certain number of attempts, and pirates will be left
with anything from a "buy me" nag, to a disabled app (behavior is
configurable).
Android Market is the only supported purchase validation target so
far.  Others will be forthcoming if demand warrants.
This isn't a perfect solution (I have yet to find a perfect licensing
solution), but I feel it is the best balance of security, features,
and workflow that I've seen to date.
You can find a write up, download, and purchasing information here:http://keyeslabs.com/joomla/index.php/projects/auto-app-licensing
I'll be looking forward to the comments, suggestions, and death
threats.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group, send email to
For more options, visit this group athttp://groups.google.com/group/android-developers?hl=en
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-***@googlegroups.com
To unsubscribe from this group, send email to
android-developers+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
Continue reading on narkive:
Loading...