Copy Protection in Mobile Application Stores
The main sources of applications for mobile devices are mobile application stores. Each of the owners of three main platforms for mobile devices (Android, iOS, WindowsRT) has his own store. When one buys a commercial application, it becomes available for downloading to all the mobile devices of this user. In this article we analyze how developers of these stores struggle with illegal distribution of commercial applications.
GooglePlay (Android platform)
When buying a commercial application in the GooglePlay store, an installation pack (APK file) is loaded to a device, and after that an application is installed. An APK file itself is not stored on a device, and application files are not accessible for an end user.
Applications may be installed not only from GooglePlay, but also from other sources for the Android platform. It means that if a malicious user manages to assemble a new APK file from the installed application files or intercept an APK file in the process of installation, this file can be installed on any device. A malicious user gets an opportunity to access application files or an APK-file in the process of installation on the so called "rooted" device, i.e. the device with its parameters modified so that its user has full authority to access the system. Almost any device may be rooted. Thus, commercial applications hosted at GooglePlay are especially vulnerable to illegal distribution.
Google Inc. developed special library of license verification GoogleLVL in order to make illegal copying more difficult. Embedding calls to this library into application, a developer can increase its level of protection. The library enables an application to send a request to the Google server in order to find out whether the user has purchased the application. A malicious user has to modify an application code to avoid calling GoogleLVL in order to crack the application that uses GoogleLVL. Google recommends to obfuscate (protect from analysis) an application code to make this task more difficult. In fact, applications using GoogleLVL are often cracked since obfuscation tools are not used by developers or do not provide sufficient level of protection.
Another method of illegal use of commercial applications is to purchase an application for a specially created user account and then distribute this account to others. Registering an account on a device, you can get the right to an application purchased for it.
AppStore (iOS platform)
In iOS applications may be installed to a device only form AppStore which is accessed by means of the iTunes application. A protected application is delivered as a container file with the IPA extension. A container includes an executable application file, resources, and a certificate. There is a signed list of checksums for files in the container. An executable file is additionally encrypted. When an IPA file is downloaded by means of iTunes, user information is recorded in it to track data leakage. A user also gets an extra key which is required to decrypt an executable file. If a user does not have this key (an executable file is stolen), it is impossible to decrypt and run the file.
In general, the protection system relies on the inability to install files in a system without iTunes, inability to disable signature checking, and file encryption. A malicious user has to get full access to the device (the so-called Jailbreak operation) to run an application obtained illegally. This operation is to be performed for every device on which the application is to be run. A malicious use due to the dissemination of information about a user's account is also difficult as the number of devices that can be linked to an account is limited.
WindowsStore (Windows RT platform)
In WindowsRT applications may be installed to a device from WindowsStore only. A user should have an account at the Microsoft server to deal with this store. This account is registered on a device. When an application is purchased, the following operations are preformed:
- Information on a purchase is stored in the user account at the Microsoft server.
- A user gets signed installation package (APPX file). The package contains application files without any embedded security mechanisms.
- An application identifier is recorded in the data base of installed applications on the device.
When an application starts, its digital signature as well as the corresponding record in the database of installed applications is checked. If the record does not exist, it is assumed that the application was not purchased for this device and shall not be run.
Thus, the protection system relies on the fact that a program may be installed from WindowsStore only, it is impossible to make an application entry in the database of installed applications, and modify other parts of the OS to disable the digital signature verification.
The major attacks on this system are aimed at disabling the checks described above. It is done by getting to those parts of the system that are normally not accessible for a user, and this operation should be performed for all devices on which the application is to be installed. A malicious use due to the dissemination of information about a user account is difficult as a number of devices linked to an account is limited to five.
Applications at the GooglePlay store are especially vulnerable to illegal copying. When an application is distributed illegally, it's just a hacker who experiences difficulties. A user intending to take advantage of an illegally distributed application installs it to his or her device without any problems.
Applications at AppStore and WindowStore are less vulnerable, because in this case difficulties are transferred from a hacker to an end user who wants to install an application illegally. This approach is good enough to limit massive illegal distribution of applications, but distribution of applications by one store is limited when it is used.
To learn how to copy protect your Android applications please visit StarForce Android Protection.
About StarForce Technologies
StarForce Technologies (www.star-force.com) is a leading vendor of information protection, copy protection and code obfuscation solutions for software, electronic content and audio/video files. Since 2000, StarForce has been successfully developing and implementing its state-of-the-art security solutions, providing copyright and intellectual property protection worldwide. Two of these solutions were transformed into StarForce cloud services: sfcontent.com protects e-Documents against illegal copying and distribution and sfletter.com secures emails.
StarForce is a reliable and responsible Technological Partner for enterprises potentially incurring losses due to cyber-gangs, hackers, software piracy, unauthorized data access and information leaks. StarForce’s customers are Russian Railways, Corel, 1C, Mail.ru, Aeroflot, SUN InBev Russia, AMD Labs, ATC International, MediaHouse, Russobit M, New Disc, Buka, Snowball, 2Play, GFI, CENEGA, Akella, etc.