Google: Android apps security is not security-oriented

By admin On Aug 25, 2010

Spread the love

Android Licensing Server, the “security” Google offers to makers of paid Android apps, isn’t focused on security yet. That’s what Google says in a response to the news that the security would be easy to circumvent.

The code was aimed at making it easy for developers to put the code in their application, so say the creator of android. “The first release was released with the simplest, most transparent implementation of a sample, which was written to be easy to understand and modify. The code is not security-oriented.”

According to Google, the fact that it is also so simple is also due to the developers who use the licensing system in their application. “Some developers use the sample ‘as is’ and that makes it easier to attack.” Google advises developers to ‘obscure’ the code, a technique that would make cracking the application a lot more difficult.

Tuesday it became clear that the Android Licensing Service is easy to bypass by extracting the apk and modifying the code. The vulnerability of the licensing system is in the LicenseValidator.smali file, which checks whether the user has purchased the application. The check takes place when the application is started and that is done on the device itself.

The trick is that the code points to a next action if the license is present or not on the device. For example, the result 0x1, the code for detecting that no license was found on the device, points to the action sswitch_de, the message that no license was purchased. By changing the action in the code to sswitch_d3, which indicates that the license has been checked and the application is allowed to continue, the security can be circumvented. It is striking that the application does ‘know’ that no license has been purchased.

Google promises no updates and admits that developers can never fully protect themselves against the cracking of applications. “That’s never possible in a system that allows third party code.” The search giant therefore focuses on making cracking applications more difficult and more expensive, so that people are more likely to do it ‘easy’ and buy the app.

Some of the Android users who use cracked applications do so because of the lack of payment methods in the Android Market; it is only possible to pay by credit card, which many Europeans do not have. Still, people without a credit card can also buy things from download stores and web stores that only accept credit cards, explains tweaker Gamefreakin.