News
Software is the essential component of any software platform. The convenience of obtaining, installing and updating applications is very important for wide-spread user-oriented platforms, such as the Android and iOS. To achieve this, the platform holders provide them with advanced support for the content distribution system. In case of the Android, Google Play (formerly called the Android Marketplace) is the major content provider. Google Play (GP) acts as a mediator between content producers (authors of software or audio-visual products) and end users (device users). Since a significant part of such content assumes some form of payment, the provider and producers use a DRM system to control the distribution of content.
This article discusses five of the most popular solutions that are globally used to protect mobile software and content against hacking and illegal distribution. Since the article was written by an expert from Protection Technology Research Company (StarForce), which produces its own DRM solution to protect Android software, the names of the solutions discussed were changed to fictional alternatives. The StarForce solution is not being discussed within this article.
The aim of the article is to provide developers with basic knowledge about levels of application protection and licensing opportunities found in popular protection services, currently on the market.
Baseline information about the Android platform
The Android is a rather open platform. The majority of Android versions allow copying to the device and launching software from user-defined sources. Therefore, Google Play is not the only content provider (as opposed to iOS, where applications for typical devices can be only installed via Apple App Store, after going through a certification procedure). This allows for the simultaneous co-existence of several content providers (and even independent developers), who have proprietary DRM systems.
Android applications are self-sufficient container files with .apk extension.
Android_DRM_1
Generally, the first solution under discussion acts as a simple content distributor. The system provides the end-user with account management, billing, showcase, and file transfer system. When buying content, the customer receives a common non-personalized file, which is not associated with the end-user’s equipment.
Therefore, the application, which was purchased once, can be easily copied to various devices or distributed in some other manner.
To control the use of content and prevent its unauthorized usage, Android_DRM_1 offers the Software Library, which allows Android_DRM_1 to be queried for information about whether the application was purchased through the current user’s account.
Nominally, the DRM acts as a general function, which returns one of three values:
- Licensed; i.e., the application is licensed for the given account and can be launched
- Not Licensed; i.e., the application is not licensed for the given account and its launch is undesirable
- Error - the license check is unavailable (e.g., no network connection)
The server's answers are signed with a unique (for the seller) private key; the public key is in the application. To launch the application without network access, the system allows for caching of the server’s answer.
The Android_DRM_1 Software Library allows (while strongly recommending against this) a program to be associated with a specific device, but this must be implemented by the developers themselves. The documentation suggests using an external (developer’s/publisher’s) server to manage the registration ID - device ID database. The methods to obtain unique device ID’s need to be developed as well.
Therefore, the Android_DRM_1 Software Library is a stand-alone high-level component, which has to be embedded into the application by developers, who have to implement all the logic required as well. The Android_DRM_1 Software Library does not provide any direct protection for the application’s code or for itself. The DRM is implemented in Java; it is supplied as a source code and can be easily decompiled, analyzed, and modified to overcome any license restrictions. The Android_DRM_1 vendor recommends using third-party applications to protect code.
Android_DRM_1 anti-hacking strength
- Since the system employs no special code protection, it can be easily analyzed and neutralized by modifying the application.
- There is at least one project, publically available on the Internet, dedicated to automatic search for the Android_DRM_1 Software Library code in .ark files and its neutralization.
Android_DRM_2
This is a proprietary solution of an Internet store that sells Android applications. Its operating principle is similar to the Android_DRM_1 (the application checks for the proof-of-purchase on a remote server), however, unlike the Android_DRM_1 Software Library, the process of embedding the DRM into an application is automated. Developers/publishers simply upload their ready-made applications to the Internet-store’s server, where the protection module is automatically embedded into them.
To achieve protection, the application is appended with some extra classes, providing DRM functionality. The produced code is disassembled and checking function calls from these classes are embedded into it (most likely this is done automatically). Reportedly, this does not work perfectly at all times and in some cases the application can crash in JVM, giving a verification error.
Android_DRM_2 anti-hacking strength
Since this type of protection is embedded into an application without full integration with its code, the protection is also easily neutralized by the modification of code. This can be done by reverse installation, i.e. disassembling the application code, finding protection calls, and removing them. There is also an easier way, i.e. to disable checks in the protection core or completely substitute it with a “dummy” code.
Android_DRM_3
Android_DRM_3 is a simplified alternative for the Android_DRM_1 and Android_DRM_2.
Unlike Android_DRM_1, there is no need for a store-application to be installed on the end-device in order to buy an application. The purchase is done directly from the Android_DRM_3 web page. A user pays via PayPal or GoogleCheckout and receives a personal link to download an application. No modification is required of the ready-made application.
Another service that is provided is the Android_DRM_3 Software Library. This is an alternative for the Android_DRM_1 Software Library. Upon the purchase of an application (in the manner described above or, for example, via another provider's web-site), the user also receives an e-mail with an activation key. While launching the application, the user has to activate it, entering the activation key. The key is verified on an Android_DRM_3 server. The system is very simple and is provided with source code.
Android_DRM_3 anti-hacking strength
- Since the system employs no special code protection, it can be easily analyzed and neutralized by modifying the application.
- The key is verified via an unencrypted channel, a proxy server can be used to bypass the protection.
Android_DRM_4
Android_DRM_4 has an embeddable DRM library and a server part. The functionality of Android_DRM_4 copies Android_DRM_3; i.e., upon purchasing an application via an internet-store or some other distribution system, a unique purchase account is opened on the server part. At the same time, the buyer receives an e-mail with an activation code from the server. While launching the protected application, the user enters the code, which is compared with the one registered on the server, and if they match, the application launches successfully. Unlike Android_DRM_3, a dedicated server is required to run the server part of the protection when deploying the system.
The system is provided with GNU GPL2 licensed open source code.
Android_DRM_4 anti-hacking strength
- Since the system employs no special code protection, it can be easily analyzed and neutralized by modifying the application.
- The key is verified via an unencrypted channel, a proxy server can be used to bypass the protection.
Android_DRM_5
The company producing the Android_DRM_5 also develops a wide variety of products to protect application code and provide DRM functionality. Unfortunately, no "live" applications protected with Android_DRM_5 were found, thus, the following information is based on developers’ press-releases.
- Android_DRM_5 protects only the application code. DRM functionality is not provided.
- The protection works only for the Native part of application code. The code should be written in C/C++. Java is not supported.
- The protection is semi-automatically embedded into the source code.
- The source code is processed by Clang + LLVM into the intermediate byte code, to which subsequent steps are applied, including obfuscation/check summing, etc., resulting in a standard object file. After linkage, the application is processed one more time (probably, to insert and calculate the checksums).
- The ideology of the protection is based on embedding special markers into the program’s functions, which can do the following:
- Obfuscate the function code (hashing, littering, etc.);
- Detect debuggers;
- Check the application’s integrity;
- Reconstruct the application code (counter patches);
- During the further processing of the source code the markers are transformed into the protection code;
- This package works only on Linux and MacOS.
Considering the above, the product is positioned as a security tool to protect program code from analysis and modification.
Android_DRM_5 anti-hacking strength
As mentioned above, not a single protected application was found to assess the anti-hacking strength.
DRM system comparison matrix
| Android_DRM_1 |
Android_DRM_2 |
Android_DRM_3 |
Android_DRM_4 |
Android_DRM_5 |
|---|---|---|---|---|---|
DRM-functionality |
Yes |
Yes |
Yes |
Yes |
No |
Java code protection |
No |
No* |
No |
No |
No |
Native code protection |
No |
No |
No |
No |
Yes |
Requires source code for protection |
Yes |
No |
Yes |
Yes |
Yes |
Open system |
Yes |
No |
Yes |
Yes |
No |
* The code itself is not protected, but numerous calls for the protection core are embedded into it.
Conclusions
Each solution discussed offers almost the same functionality. Probably, with the exception of the Android_DRM_5, which only protects the mobile application code from analysis and hacking, but does not offer any licensing options.
Obviously, at this time, there is no reliable anti-piracy protection for Android applications among the most popular solutions on the market. The average hacker will break such protection with ease. Therefore, the anti-piracy campaign for the Android platform has so far been put on hold, waiting for better days.
