Monday, October 11, 2010

The True Problem With Google's License Verification Library (LVL)

Google recently introduced a new method to fight piracy on the Android Market, the License Verification Library (LVL). It replaces the old system copy protection system, wherein your APKs would be put in a folder that you can't access. Unless you root. Oh, and anyone who can copy that APK off can then give it to someone else to put on their device, too. It was so weak, it was almost non-existant.

At first I took the news of LVL to be a great next step. In case you've not been paying attention, LVL puts the copy protection methods in the app itself - a form of DRM. Your app would now communicate with Google's servers to authorize use of the app. You'd no longer prevent a user from copying/transferring APKs, but doing so would be pointless because they wouldn't run on someone else's phone unless they were authorized.

However, any DRM measure can be cracked, it's just a matter effort. Only a few weeks after LVL was released it was shown how easy it was to modify bytecode to bypass the authorization altogether. Google responded with a series of posts (1, 2, 3) that explained how to circumvent this early crack in their armor. Essentially, it all boils down to different methods of obsfucating your code, which as we all know can still fail - and the steps Google proposes for protecting your APKs complicates your code and build process. As happens with most DRM, this has become a game of cat-and-mouse between Google and pirates, using ever-escalating tactics to one-up the other.

But there's a much bigger issue at the root of the entire system: The LVL library only works on apps sold through Google's Android Market.

The whole point of LVL is that the APK itself has some protection built in, so copying it around will not be an issue. But the LVL library only authenticates users who bought the app using the Android Market. If a user buys your app on a third-party store, then the LVL library will reject them. This means that in order to release on a third-party store, you'd have to ditch the LVL library for those builds - and thus defeat your own DRM.

There are a lot of Android Market alternatives now and more on the way. There are some publicly available are sites like SlideME and AppsLib (and possibly soon, Amazon). There are also some carrier-specific app stores - Verizon just launched V-Cast and in Europe, both Orange and Vodafone have their own offerings.

Android Market's recent expansion is, I believe, partially a response to this problem, but it comes too late. If the Market was more widespread and accessible early on then there would not have been an incentive to create and sell apps on alternative app stores in the first place; but now the momentum is there.

As much as it pains me, my conclusion is that it's better off to just go without any copy protection whatsoever. It does not makes sense to limit yourself to one store when potential customers could browsing another. Also, people who pirate will find a way to pirate, regardless your DRM; don't worry about them, and just worry about the people who would buy legit in the first place.