Open Source Subnet An independent Open Source community View more

Protection, Meet Racket

Android Applications, Piracy, and DRM

Right now, it is very straightforward — if you publish on Android Market, your application will be made available for free download outside of the Market. This appears to hold true regardless of whether or not you are using the built-in Android Market copy protection mechanisms, which have been demonstrated to be ineffective.

This is part and parcel of having an open environment like Android. Availability of source code, ability of people to “root” their devices, and a big centralized market makes automated piracy pretty much a fait accompli. While Android is perhaps the best example of this today, I truly hope that the openness meme spreads, which unfortunately will bring pirates along with it.

If you are trying to turn a buck (or euro, or yuan, or...) on Android apps, here are four possible courses of action:

  1. Don't worry about it. Only a certain number of people will use pirated apps, simply because getting them is not obvious. Without a pre-installed client for the pirate sites, many device owners will not know those sites are there and will not use them. And, if somebody does make pirated apps available in a form that becomes popular, I suspect that there will be legal and technical repurcussions.
  2. Use off-the-shelf DRM. Just because Android Market's own copy protection is weak does not mean that copy protection on Android is weak. AndAppStore and SlideME are two markets that each offer copy protection mechanisms, though at the time of this writing only AndAppStore's can be used on other markets. Integrating a third-party DRM solution adds work, but this is no different than DRM for any other platform (e.g., Windows).
  3. Use custom DRM. There is always a fear that if a DRM solution becomes popular, it becomes more prone to being hacked. Hence, you could always work out your own DRM solution. Each Android device has unique identifiers, sometimes tied to the telephony protocol (e.g., IMEI for GSM), and sometimes just unique to Android (ANDROID_ID constant). Cook up your own mechanism to combine this information with purchase data to tie an app to a user.
  4. Add value outside of the app. In other words, don't sell the app — sell the account you need to use the app. Then, piracy of the app is no big deal, and might even be desirable. Your money comes not from the app directly, but the sales of online services (e.g., Web apps) that the app needs to be useful. Remember the Milk is one example of this model in action.

Perhaps someday the Android Market will employ more powerful copy protection mechanisms as an option for interested developers. Or, perhaps someday some other market will do the same and become a popular alternative to the Android Market. In the meantime, you will need to choose your strategy to address inevitable piracy

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies