was released late July for all versions of the Google Android mobile operating system, 1.5 or higher. In basic terms, the system functions as sort of a DRM protection mechanism for Android applications, ensuring that the apps on a user's phone have been properly purchased and paid for.The licensing system Google implemented to protect the applications found in its Android Market has been cracked, only a month after it debuted. Google's "Licensing Service for Android," designed to protect against unauthorized use of paid Android applications,
Now, in a detailed how-to guide posted by Justin Case on Android Police, not only has Google's licensing system been cracked, doing so was a fairly easy process.
How Was This Hacked?
It's not surprising to hear that a protection system was hacked or cracked these days. There is virtually no unbreakable code, given enough Red Bull and a dedicated hacker. What's somewhat disturbing about this particular crack, however, was how simple it was to accomplish.
In this case, the crack was made possible due to the licensing system's use of Java code. According to Case, Java code is what most Android applications are currently written in. Because of Java's cross-platform compatibility needs, there are already a number of software suites that can decompile and disassemble Java code, making it an easy target for reverse engineering.
After decompiling the code, cracking the licensing system is as simple as finding the file that references Google's licensing service and changing it to include a different set of instructions. A hacker would just need to change of couple of bytes of code that detail how an application should behave after verification of its license is complete.
Typically, an application using Google's protection mechanism would communicate with a Google's Marketplace server to confirm whether or not it's properly licensed. If it was not licensed, the app would be told not to run. This hack just changes the instruction set that means "don't run" into one that means "sure, go ahead and run." That's a basic, non-technical explanation, of course. Those with a development background should read the detailed steps laid out here instead.
In addition to the hack being easy to accomplish, it can also be automated using scripts. That means most Android applications could be stripped of their licensing protection and made available in off-Market, pirated distributions, Case warns.
How Bad is this for Android?
While not necessarily an Achilles' heel for the Android ecosystem itself - its momentum is too far along for that now - at the least, it's a cause for concern. Unlike Apple's carefully controlled App Store environment, Google Android operating system is more open by default, allowing users to install apps from outside the official marketplace just by changing a single setting on their phone. iPhone users, meanwhile, have to wait for weeks on end after every Apple software update for a team of dedicated iPhone hackers to release a new "jailbreak" - an end-user tool of some sort that removes the restrictions placed on the device which prevent the installation of unapproved, third party apps.
Google's openness is, on the one hand, a benefit to its developers and users, the former who no longer have to comply with complex and ever-changing developer agreements just to release an app in the official app store, and the latter having the freedom to install any applications they choose without having to hack their phone to do so.
However, Android's openness combined with an easy-to-crack protection system means that it's now also incredibly easy for paid applications to be distributed to end users who don't want to pay for them.
That's not something that will make the developer community happy - especially given the earlier news that iPhone users are more willing to pay for apps and that 57% of Android apps are free, when only 28% of iPhone apps are.
It should be noted that not all Android applications use Google's Licensing Service, but the system is a popular choice because it's easy to implement and it associates applications to a Google account, allowing users to take applications with them when they upgrade to a new handset.
Update: Google responded to this situation a few hours after publication via blog post. Google's Android developer evangelist Tim Bray notes that its licensing technology is young, but represents "a significant step forward in terms of protection over the plain copy-protection facility that used to be the norm." He also says that the company will improve the licensing system going forward. He did not, however, detail any specific steps Google will take to thwart this current hack in particular.