I was enthused about the announcement of the Android Market Licensing Service. This is a step in the right direction to fight rampant piracy. You can actually now use a pirated version as an opportunity to sell your app. If someone downloads a pirated version, you can use the licensing service to detect it and direct them to buy the paid version.
However, there are a couple of problems. First of all, the generic version of the licensing code has been cracked. Tim Bray responded to this with the comment that “100% piracy protection is never possible in any system that runs third-party code…” Quite true. Contrary to this Google blog entry, it’s usually easy to crack. All forms of licensing, unlocking, server-side validation, and tamper detection come down to some point in the code that essentially says:
if (!licensed) { rejectUser(); }
It’s relatively easy to find this “if”. The pirate just has to debug the code, run to the point of rejection, and work backwards. The cracker can change the value of “licensed” or change the “then” branch in the Dalvik code to branch to the point after the “if”. Server-side validation can be circumvented the same way - at some point it all comes back to your code. Once cracked, the pirate can post the .apk online and almost anyone can install it. All of your hard licensing work as a developer has been wasted.
This is the problem with any license check embedded in an app. Once the app has been cracked by one experienced person, it can be distributed to thousands of unexperienced users. We need something harder to crack and near-impossible to distribute. I think the solution lies in Android itself. Android needs to check if the app has been licensed when launching the app. If it hasn’t been, reject the user. Then the potential crack lies in the Android system code. Most people are not going to installed a cracked version of Android.