How do I secure an Android app to a device?

Question

For an industrial application which is installed and shipped on Android devices, I want to secure the app against unauthorized copying to other devices. My understanding is that there are numerous applications (some running on Android devices and some on desktop PC's) which can copy apps as APK files and install them on other Android devices. (some of these are marketed as backup software)

What is Android's authorization model? Does it depend on having a Google Account or using Android Market? (these devices don't have a Google Account associated with them, and the industrial environment where they are used usually doesn't have WiFi access).

How do I write my app to run on just the device we install it on?

Answer 1

What is Android's authorization model?

That would depend on what you think an "authorization model" is and in what context you are asking in. APKs have no "authorization model" by themselves, any more than do text files, bars of soap, bricks, golf balls, etc.

If by "authorization model" you mean "how can I validate that the app was obtained from the Android Market", you can use the License Verification Library (LVL) for that. However, this would not appear to be relevant in your use case ("an industrial application which is installed and shipped on Android devices").

How do I write my app to run on just the device we install it on?

Prevent users of the device from running anything else, by rolling your own custom firmware, making your app be the home screen, remove unnecessary additional apps from the firmware, etc. This may limit the utility of your devices, will not work if you are trying to make your app available to arbitrary devices, etc.

Or, cook up your own license management scheme akin to the LVL, and hope that nobody interested in pirating the app has enough skills to reverse engineer your code and snip out the license management stuff. Depending upon your customer base, you may have reasonable luck with this approach. This is not significantly different than traditional enterprise software with license keys and the like. Hence, it is entirely possible that firms who make license management stuff for desktop apps have commercial Android solutions available for license.

The "license management scheme" could be as simple as "burn the MAC address of the WiFi NIC in the APK file and compare it at runtime", though, again, this sort of protection is vulnerable to being reverse-engineered and excised.

Answer 2

When you go to upload an application to the Market there is an option to enable "Copy Protection" which states

Copy protection may help prevent applications from being copied from a device. It increases the amount of memory on the phone required to install the application. We expect to deprecate copy protection soon.

and

If you have a paid application, we recommend that you implement the Android Market licensing service. For free application, we recommend implementing your own copy protection scheme.

I don't think that the copy protection is bullet proof by any means though. If someone is determined and has one of your devices they could likely still get the apk off of it (especially if they are willing to root the device).

I imagine the best solution is going to be something you create and implement yourself. How many devices will this application get installed on total? Perhaps you could get unique IDs for each device and have the application check to ensure that the device it is running on is has an ID that is on that list.

If getting IDs for each device is too much of a hassle. What is the install process going to be? Perhaps the first thing the application does after it gets installed is ask for a complicated password. If the password doesn't get entered the application will do nothing. That way you can enable them right after you install, and any copy's of the apk that do get out won't do anything unless the person has the password too. Downside to this is if app gets uninstalled / re-installed password will need to be entered again.