30

The title says it all, the more I do research about piracy and the tools used to crack an app the more I think it is just wasted time.

My biggest threat is that my app is being cracked and uploaded again within minutes after I released it. But I'm not sure how harmful it will be to my revenue, if there even will be revenue. Maybe someone can come up with some experience, it's my first app which I'm going to publish and I have no experience with that. My app is going to be free with ads. I think this is another line of defense because in my opinion, the main focus is on paid Apps due they are not available in a lot of countries..

My current approach is that I will just use proguard not really to make it harder to crack (more likely understand the code), because you don't even need to understand the code if you just simply resign it and upload the same application to the playstore, you will just need to change the package name. My main point of using proguard is just to shrink the app.

Is this a "good" approach?

gnat
  • 21,442
  • 29
  • 112
  • 288
Mike
  • 446
  • 4
  • 10
  • @MichaelT I don 't think so because of `Maybe someone can come up with some experience`. I am also interested in that. Don't get me wrong, but i don't understand why removing the Appeal to share their personal experience with me if they want to. Now, for me, this is just killing the question and preventing user to share their experience which can be helpful for other user in the future.. – Mike Jan 04 '15 at 02:56
  • 3
    The Q&A format is not a good one to share anecdotes. If you are interested in that format of site, please read [On discussions and why they don't make good questions](http://meta.programmers.stackexchange.com/q/6742/40980). That style just doesn't work in the Q&A framework. –  Jan 04 '15 at 02:58
  • 5
    I'm not convinced they are dupes. One is about whether you should, the other is about how you can. – DeadMG Jan 04 '15 at 09:01
  • Please post your conclusion as your own answer. – ChrisF Jan 04 '15 at 16:10
  • My approach is Proguard + Google's License Check. http://developer.android.com/tools/help/proguard.html and http://developer.android.com/google/play/licensing/index.html – Jared Burrows Jan 04 '15 at 23:53
  • 1
    For what it's worth, I had a lawyer recommend to me that I have *some* sort of protection against piracy. It didn't have to be good, but it had to exist. The reason was such that if/when it was pirated, it could be demonstrated that the person doing the pirating had undergone some actions to disassemble the assembly, violating terms and conditions. I don't know if there is any truth to that reasoning as I have never had a problem, but it makes sense to me. For context, this was on a JavaScript application where source code was visible. Simple obfuscation was good enough for the lawyer. – Brad Jan 05 '15 at 06:15
  • If it's an app with ads, people who don't like the ads will probably just set up AdBlock and don't bother with piracy. – user2428118 Jan 05 '15 at 09:36
  • You can try and treat pirated copied as potential customer. Update your app often and make sure that all users knows about the update. If possible, have features that demand to be logged or have a web portion that integrate well with the features of your app. – the_lotus Jan 05 '15 at 13:59
  • @the_Lotus i read that first advise from you very often and it is a really good one and of course i will implement that not only as part of my strategy to make piracy hard but because it will satisfy the users! :) thanks for your comment – Mike Jan 05 '15 at 14:51

8 Answers8

50

No.

Most applications from large developers with real, industrial grade copy protection appear in torrents, cracked, within days of release. It is extremely doubtful that a smaller developer can match that. Trying to will just waste your time, leaving less time for you to develop features/apps that make money.

You may want to do trivial work to keep "casual" copiers at bay, but by trivial, I mean something you can throw together in a few hours. (I.e. something like proGuard.) You will not stop the people with technical knowhow who actively want to crack your app.

Gort the Robot
  • 14,733
  • 4
  • 51
  • 60
  • That's also my opinion. My Problem is that i don't know which Impact it will have if my app is being cracked and reloaded to the Play store minutes after release. I think in that case it's all about the Support i provide. I think the pirate will not Support an app which he cracks and Uploads with one click the way i will do when i spend 2 to 3 months into development. So do you think my Approach from the question is good and do you agree with the Content of my comment? Do you have any experience from your career as a Android developer? – Mike Jan 04 '15 at 01:54
  • 10
    @Mike - it kind of doesn't matter what the impact will be - you CAN'T stop it, and any time you spend on anything more than basic anti-piracy is wasted. Anything you do WILL be cracked. If that impact is that you don't make any money, then that's going to happen whether you spend 2 days or 2 months on your anti-piracy. So do something to keep the casual copiers honest, and get on with trying to make money. – Michael Kohne Jan 04 '15 at 02:01
  • @MichaelKohne thank you for your Response, what would you declare as `do something to Keep the casual copiers honest`. For me, that's something very hard to define. Is it just use `proGuard` or use it with `Googles LVL`. What does the casual copier use? Nearly every very easy available cracking tool cracks the `LVL of Google` by one click. So what is your Definition of Keep the casual copiers honest. That's really hard for me to define and it brings me headache. :) – Mike Jan 04 '15 at 02:05
  • 7
    @Mike - *"it brings me headache"*. Well stop worrying about it. Accept that you won't get all of the revenue that you feel you are entitled to. Treat it as a cost of doing business ... just like farmers who have to write off a significant percentage of their crops to spoilage. – Stephen C Jan 04 '15 at 02:27
  • 1
    @StephenC thank you for Response, you are right! I got that Point :) It's a pleasure too discuss this Topic with you guys. What i'm now really interesting in is, what is keeping casual copiers at bay. Just use `proguard`, use also `Google LVL`, use `tampering-checks` or is it all just time wasting because every cracking tool can easyl track and remove that. And please don't Forget your personal Publishing experience confrontated with piracy i'm really interesting in that and i would really appreciated that. Feel free to post that as an answere. Thank you stephen! :) – Mike Jan 04 '15 at 02:34
  • 1
    I disagree. While it's unlikely the average programmer will be able to prevent their app from appearing on torrent sites, you should still protect your assets. It'll lose you money in the long run. It's too easy for even a non-tech-savvy person to copy an apk, decompile it, throw a bunch of stuff in, change the name and re-publish it themselves. Now imagine what someone who is tech-savvy can do. We should take every step _possible_ to help prevent this from happening. This could also create security/privacy concerns for customers if you make no real effort to protect your work. – jay_t55 Jan 04 '15 at 05:59
  • 21
    It is a mistake to try to take every step possible. You should take every step that is *cost effective*. You could spend thousands of hours delaying the appearance of your app on torrent sites a few days, which would be possible, but would earn you far less in additional sales than you spent. – Gort the Robot Jan 04 '15 at 07:23
  • 11
    jay_t55's argument is effectively a fallacy, I forget what it's called. There's a name for it. It's a variant of the slippery slope fallacy. Ultimately you need to look at the effect it's going to have on your bottom line and go from that. Piracy has had a very noticeable marketing effect in some cases where it has been studied, which has actually improved profitability not reduced it. It's a great target to blame lack of profit/sales on, but compared to the noise people make about it, it's a paper tiger. Focus on making good products, rather than worrying about pirates. – user2754 Jan 04 '15 at 08:03
  • @JackLesnie jay_t55 is not talking about that kind of piracy where the app gets distributed for free. I don't see how a pirated, rebranded app can benefit you if the users are unaware of the piracy and don't even know the real name of the app or its creator. You should definitively not "take every step possible", but some basic concerns about security/privacy like he mentioned are important, especially in this case where users don't know they are using pirated software. – kapex Jan 05 '15 at 00:22
  • You are unlikely to be able to come up with effective technical steps to prevent a pirated, rebranded app. To effectively deal with that, you need lawyers. – Gort the Robot Jan 05 '15 at 01:25
  • Of course, even if you ignore piracy, it's quite likely that there's someone who could remake your whole app from scratch in a day or two. Investing more time in piracy protection just makes you that much more vulnerable to that guy - if he sees a good idea in your app and fleshes it out a bit while you're dealing with piracy protection, you're screwed anyway :) Just work on your customers, make them feel welcome. Any visible anti-piracy measure just tells your customers they're pre-emptively considered pirates. That doesn't usually help your business a lot :) – Luaan Jan 05 '15 at 08:46
  • If your app appears cracked on a torrent site within a few days, isn't this a sign that you're doing something right in your app? No one bothers to crack *bad* apps. – Brandin Jan 16 '16 at 09:01
30

Should I spend time preventing piracy of my app?

You are asking the wrong question. Technical safeguards such as proguard are a must but are trying to solve the problem the hard way.

The first question should be "Does my app contain something that really needs protecting?" such as a complex or proprietary algorithm. If so the best solution is to move this out of the app into a server that the app talks to. The app becomes merely a UI layer on top of the server. Of course, this means you need to maintain a server (or servers) and an appropriate authentication mechanism for each user (a whole other post). It is also inappropriate for disconnected or highly responsive apps.

The second question should be "Why would people pirate my app?" If it is a financial motivation, release a free version of the app with a reduced feature set. If it is a game, make the core game and first few levels free then sell additional levels/characters/upgrades/whatever via in-app purchases. Alternatively, release a free version funded in in-app advertising (yes, I know many people hate it but it is the world we live in).

No matter what you do, as Steven implies in his answer, some people will do it for a technical challenge and release the crack to demonstrate their prowess. You cannot stop these so it is not worth worrying about.

akton
  • 6,912
  • 31
  • 34
  • Thank you for your respone akton. You are right and i don't want to stop them. I just want to make sure not doing a big mistake by do nothing against piracy. It's now interesting for me what stevhen defines as Keep casual copiers in the bay. What do casual copiers use? Typing antiLVL into Google will give every potential Cracker the possibility to simply crack your trivial protected app by one click. So, maybe it's useless to implement more than proguard and proguard only because of the shrink-effect.. – Mike Jan 04 '15 at 03:32
  • of course based on not to have a "million Dollar" app or logic as you pointed out in your answere – Mike Jan 04 '15 at 03:39
  • 4
    A patented algorithm would be the last thing you would need to hide, as the patent itself is (should be) describing the details of the algorithm for the benefit of the public. Even the typical obfuscated patents are usually easier to read than compiled code. – jpa Jan 04 '15 at 08:09
  • @jpa True. A poor example (and I have edited the post accordingly) but the point stands. The best way to stop someone seeing and pirating your code is not to give it to them in the first place. – akton Jan 04 '15 at 08:12
  • 3
    akton's second point is brilliant: **remove almost all motivation for pirating your app by releasing a free/reduced version of the app**. Much better than patents, lawsuits in non-US jurisdictions etc. – smci Jan 05 '15 at 07:17
8

Many many years ago, I bought a book on game development. It had a chapter on piracy. It included the following summary:

It is not possible to prevent piracy with technology. The only way to prevent piracy is to make a game so cool and exciting that the pirates choose to go out and buy a copy.

You can never prevent piracy. You can curtail piracy, you can monitor piracy, but there are no tools which can truly prevent it. I stress this because that strong word, "prevent," can make people reach to exorbitant measures thinking "If I just do X, I can prevent piracy." They are always saddened by the result, and it is all because of a word choice.

To rephrase akton's key points in a terminology traditionally used in Information Security: you need to develop a threat model describing your attackers. If your attacker is a script-kiddie that downloads a few scripts off of the web, then you can focus your security by looking online at what script-kiddies can find, and defending against those. If you are really interested in your secrets not falling into Chinese and/or American government hands, you'll find you have to do a wee bit more on the security front.

One nice thing about phrasing it as a "threat model" is that you will also be in an excellent position to correctly handle security issues, such as logins and credit card numbers and what-not. You will be ahead of the curve.

If all you are worried about is script-kiddies, it would be useful too not only do the Google search for antiLVL you mention in your comments, but play with a few of them. Learn what they can and cannot do. Know thy enemy.

Cort Ammon
  • 10,840
  • 3
  • 23
  • 32
  • 1
    I really like you answere ! Did you actually manage to make your app secure against what i think `script-kiddies` are using? (`AntiLVL`, `LuckyPatcher`..)? When i go to `Stack Overflow` i read a lot of `I did customize the Google LVL i put tampering-checks and i used proguard, but antiLVL cracks it with one click`. And when i go to the `antiLVL Website`, it is really frustrating too see that the last official update occured `October 18th, 2011 - 1.4.0`. Then as a small developer it Looks nearly impossible to me to prevent even this guys.. Thank you for your respone Cort Ammon – Mike Jan 04 '15 at 09:30
4

If possible you should follow the advice in https://news.ycombinator.com/item?id=2623102 and move the stuff you want paid for to a server. And then manage access there. The app itself can be assumed to be stolen and pirated as much as it wants. Copying your server is harder.

Of course this solution has the downside of not being cool or clever. But it works.

btilly
  • 18,250
  • 1
  • 49
  • 75
  • Great discussion ! But for me it sounds like they are not really believing him and they also bring up good side-effects of a "use in-app billing with own server" solution. `But it works.` is this based on personal experience or what you have read over the time from People or in articles? Would be intersting. Unfortunatly it is not possible for me to set up my own server. But i am really keen to implement that in the future and compare the results! Thank you for your answere btilly – Mike Jan 04 '15 at 10:11
2

It is impossible to completely prevent piracy.

You must accept that your code will run on other people's machines. Those people can take your code on their machines and do anything with it, including change and (illegally) redistribute it.

You can leverage your country's legal system if you believe your rights have been infringed upon; e.g., an American citizen can issue a DMCA takedown request against an entity that is distributing his work. However, it will be more difficult to dismantle an international distributed network, such as those composed of torrent links.

Alternatively, you can revise your philosophy on software distribution. Considering it is already possible for your users to do anything with your program, you could accept that reality. Then, embrace that reality, and grant your users the freedom to run, copy, distribute, study, change and improve your software. This is typically accomplished by declaring your program "free software" (and when I say "free," am I speaking in terms of "freedom and liberty," not in terms of "price").

Releasing your program as "free software" has numerous advantages:

  • Your users will easily be able to modify your program.
    • If you appreciate their modifications, you can merge them back into the main project, and it will be more valuable as a result.
    • If I was to modify your program, the first thing I would do would be to remove the advertisements, because I find them quite annoying. You could take this as an indication that your application would be better without advertisements, which would spur you to imagine a better revenue model ("better" both in terms of pleasing your users and profit).
  • Your users will be free to redistribute your program.
    • If you want your program to "go viral," removing all legal barriers to virality would be a good thing.
    • People can already redistribute your program. Either they are "evil," or they are benevolent for sharing things with their neighbors, which is a basic human trait that makes us more successful than species without compassion. Now they can feel good about it, as they should.
  • Other people will be able to study your work and learn from it.
    • I learned a tremendous amount about programming from trudging through the source of RPGMaker games, for which the game code is usually free to browse. In fact, I am aware that a whole community of game developers have emerged from sharing and learning things from each others' code, and have grown up and are leading successful careers and delivering high-quality products. You can be happy knowing that your program has benefited more people than just you.

Making your program "proprietary," as you intend to do, gives you the false reassurance that people must first pay you in order to obtain and use your software. You are aware that this is not true, due to piracy.

So consider the converse: What if you offered the software to the customers first, and told them that if they derived value from it, then they would pay you?

If an "honest" person was willing to pay you for your software before he could use it, then (as long as you are providing a high quality product) why should he not be just as willing to pay you after he has enjoyed it? (I paid the author of Chrome's AdBlock plugin, which is free software available gratis, because I derived immense value from it.)

As for a "dishonest" person who would download a modified version of your program from an illegal source, he is certainly not willing to pay up-front. Now you have the opportunity to capture revenue from that person, because the "freeloader" might derive value from your program and then decide to pay you. If pirates pose a considerable "threat" to your program, you might consider turning the tables such that your pirates become potential customers instead.

I recommend the "free software" approach. You could continue to create proprietary software and you would still probably make plenty of money, as many people who produce proprietary software do; though you would have to ignore the "problems," both financial and moral, which exist inevitably and incurably because of the nature of creative works. These "problems" become vehicles for the enhancement of your product when you adopt free software philosophies; you would have an edge over competitors who cannot understand this power.

Jackson
  • 412
  • 3
  • 6
0

No, it's pointless. Ultimately the cost/benefit analysis just doesn't work out.

For a start you need to target a platform that has security built in. Realistically, irrespective of how much you might like the platform Android is simply not that secure - it is designed to be open.

The cost of implementing any worthwhile security is likely to be more than any profit you might see as Android has the lowest spend per user of all the mobile platforms, the only people it will ever make money for is google. Those who don't buy the cheap handsets are frequently purists who think that the free (expression of ideas) is also specifically the free (as in beer) part so will do anything they can to avoid paying purely as a challenge.

Anything you need to do to protect your application must affect the core of the user experience and not be bolt-on protection after the fact. Apps that do well in that regard are the ones where the product purchased is the content, not the app itself.

Since your primary concern (according to comments) is related to authentication (cracked and repackaged versions) of your app on the appstores... that's mostly the appstore's problem to solve and you may be better off looking at ways for an app to automatically register that it has been repackaged rather than deter copying.

James Snell
  • 3,168
  • 14
  • 17
  • Thank you for your answere. `automatically register that it has been repackaged` yeah that's a great idea! And I will do/try that ! But it's hard because all of the ways(which i know) to detect that is tracked by `antiLVL` for example with one click.. And you can't find tutorial of implementing that in a way it will be "hard" to crack/remove that check. Which is logical, because once it is published it could be the next day in an update of an cracking tool.. – Mike Jan 04 '15 at 15:17
  • I think you're probably of the belief that your code is more important or unique than it really is... all developers are guilty of that at some point. I'd wager that a simple hash check implemented in your own source (not using the OS or SDK provided functions) and a spot of string obfuscation (ye olde `rot13`) would not flag up in antiLVL or the like for quite some time. You can then include some bait that you know would be changed by `antiLVL` to break your hash and trigger reporting. But don't spend much time on it as you're unlikely to break even writing android software. – James Snell Jan 04 '15 at 16:39
  • Yeah maybe you are right James. `rot13` is a really easy obfuscation type. But it is more likely to obfuscate the cracker and not to make something uncrackable. It will take some time for the Cracker till he mention that i used for example rot13. Cool advice. Thank you! – Mike Jan 04 '15 at 19:53
0

Conclusion

My conclusion, to don't get in conflict with Q&A Format, after all of this great answeres is not to invest a lot of time in making it as hard as possible to crack my app. For this app, I will just use proguard because of the shrink-effect and because it is more difficult to understand the code if someone wants to modify it...

I rather spend more time in SEO/implementing more features like Steven pointed out and after publishing i will try to give a better support to my users than the pirates will do! ;) I think that is going to make the difference and is one of the best ways to fight them.

Anything else which will happen is additional experience and will or will not change how i publish my apps in the future. Thank you!

Mike
  • 446
  • 4
  • 10
-1

From my experience: most of people like original software and is very difficult to prevent crack. The best thing to prevent piracy is always to deliver a free version with less features of your software, and warn people that cracked software may threat them (virus, trojans almost by sure). So if people like your software by using the free (clean, no threats) version they will buy it.

albanx
  • 99
  • 2
  • My biggest fear are not my cracked APKs on some untrusted sites in the `WWW`. It's more the fact that they can crack it, modify or leave it as it is, resign it and upload it to the Play store again. For the user, this cracked version of my Application is a trusted Application if you now what i mean. Thank you for your answere. – Mike Jan 04 '15 at 10:43
  • 3
    That's what a DMCA notice is there for. – gnasher729 Jan 04 '15 at 16:10
  • @gnasher729 you are right, good to know that! – Mike Jan 04 '15 at 21:59
  • @gnasher729 no DMCA notice does not say that (what I said above). Have you ever read any DMCA notice? No you have not, no one does. – albanx Jan 21 '15 at 23:16
  • @Mike I understand perfectly, but you can't do much there. You can use some small tricks for example some hidden piece of code that simply inform you by pinging any hidden address ... – albanx Jan 21 '15 at 23:19