Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Questions about Google Play application assets encryption

Starting from v4.1 Jelly Bean, Google has introduced a new application assets encryption feature for Google Play. Seems that there were some problems when upgrading apps consisting in persistent data being lost after reboot, caused by the change in apk directory (old one was /data/app, and now it is /mnt/asec).

So, when publishing (or updating an already published app) on Google Play, for OS 2.3+,

  • Can I disable this option and publish an unencrypted application?
  • What is the current state of the issue? Is there a workaround?

Besides this problem, the idea of providing additional protection against piracy seems ok, but there are some additional considerations I couldn't find explained anywhere in the docs:

  • What about apps published to alternative stores, or deployed via OTA? Could they be encrypted too? If not, then what is the point of causing so much pain in Google Play publishing if anyone can download the unencrypted apk from elsewhere and decompile it straight away?
  • Can it be defeated by rooting the phone?
  • Are the apks delivered for OS 4.0+ the only ones with protection? If so, then again, what is the point of this if anyone can download the unencrypted apk to a Gingerbread phone, pull it out with adb and decompile it the usual way?
  • Assuming the mechanism worked: What about backup applications (like Titanium Backup), or with manual apk backups using adb. Will they still work?
  • Performance: some apps might have a considerable apk size. Does this mechanism hamper performance? Does the OS decrypt the whole apk everytime it is loaded?

Thanks in advance

UPDATE:
Edit to include links to Google Code issues.
Issue 34880 (closed but with some devs still complaining; status: future release)
Issue 35962 (closed; status: released)

UPDATE #2:
Interesting info on this blog post linked by one of the developers in the first issue. Also here in German.

Users and developers report that in the last few days the problem appears to have disappeared for applications installed using the latest version of Google Play (3.7.15). Users who have previously installed problematic apps will need to uninstall and then re-download them free of charge. According to one report, the new version of Google Play now saves paid-for apps to /data/app again, meaning that Google has deactivated the copy protection feature for now. Google has not commented publicly on the problem. The bug is marked as medium priority, with a status of "FutureRelease" for a possible fix.

like image 907
Mister Smith Avatar asked Aug 27 '12 08:08

Mister Smith


People also ask

Is Google Play encrypted?

App EncryptionStarting with Android 4.1, Google Play will help protect application assets by encrypting all paid apps with a device-specific key before they are delivered and stored on a device.

Is all of the user data collected by your app encrypted in transit?

Is all of the user data collected by your app encrypted in transit? Yes – Answer Yes if you encrypt all the data sent to your servers and other third parties.

What type of services or information you can get from playstore?

Google Play Store, shortened to Play Store on the Home screen and App screen, is Google's official pre-installed app store on Android-certified devices. It provides access to content on Google Play, including apps, books, magazines, music, movies, and television programs.

What is data safe Google Play console?

The Data safety section on Google Play is a simple way for you to help people understand what user data your app collects or shares, as well as showcase your app's key privacy and security practices. This information helps users make more informed choices when deciding which apps to install.


1 Answers

(Mumble, mumble, shrug, /me just sayin' ...)

Personally (a-n-d... from the point-of-view of someone who has somehow managed to make money from a commercial application for 23 years and counting ...), I would be FAR(!) more concerned about this:

Users who have previously installed problematic apps will need to uninstall and then re-download them ...

... than I would spend fixating on any "thoughts of piracy." (Nor, therefore, with any 'defenses' [sic] against them.)

A very good friend of mine once kept a very-expensive 12-string guitar ... in a cardboard(!) case ... fastened by the very-cheapest padlock that anyone could have procured. The padlock was, as he said: "to keep the honest people out."

"Well said, Robert ..."

A certain, minuscule, percentage of "people on this planet" might, indeed, "do whatever(!) it takes" to "crack the protection of" whatever-it-is that you wish to sell. [In my college days, I had a friend who positively collected Apple ][ floppy-discs, apparently for nothing more than the intellectual challenge of having "defeated" them.]

Such people are not your ¢-u-$-t-o-m-e-r-$!"

Therefore, I respectfully suggest:

  • "Yes, 'put a padlock on' your guitar-case."

  • ... but DON'T go out of your way to "try to prevent someone from stealing your guitar."

  • ... because the (thousands(!) of!!) folks who paid you M-O-N-E-Y ... don't(!!) wish to be inconvenienced!! (Nor to imagine that they might, even concievably(!!), be: "distrusted!")

Think about it . . .

"You walk through the front-door of the store at the mall, [having just made a $300 purchase ...] and, (lo and behold!!) the Sensormatic system "complains loudly!!" What does the clerk (and the store manager) do? They wave at you!! "Have a nice day!"

[Even if they have no idea if you spent $300, or that you might be a thief ... they ... wave at you. If you're a thief, that's a matter for the insurance company. Best-bet is that you're a customer, who must(!) receive an apologetic but very(!) friendly wave-goodbye.]

In the real-world of "actual commerce," it PAYS to keep such things in mind!!

Trust me: "the simplest, most-trivially-defeated" token-lock will do. The one-and-only requirement is that: "it exists. At all."

like image 131
Mike Robinson Avatar answered Oct 16 '22 16:10

Mike Robinson