Questions about Google Play application assets encryption

Question

Starting from v4.1 Jelly Bean, Google has introduced a new application assets encryption feature for Google Play. Seems that there were some problems when upgrading apps consisting in persistent data being lost after reboot, caused by the change in apk directory (old one was /data/app, and now it is /mnt/asec).

So, when publishing (or updating an already published app) on Google Play, for OS 2.3+,

• Can I disable this option and publish an unencrypted application?
• What is the current state of the issue? Is there a workaround?

Besides this problem, the idea of providing additional protection against piracy seems ok, but there are some additional considerations I couldn't find explained anywhere in the docs:

• What about apps published to alternative stores, or deployed via OTA? Could they be encrypted too? If not, then what is the point of causing so much pain in Google Play publishing if anyone can download the unencrypted apk from elsewhere and decompile it straight away?
• Can it be defeated by rooting the phone?
• Are the apks delivered for OS 4.0+ the only ones with protection? If so, then again, what is the point of this if anyone can download the unencrypted apk to a Gingerbread phone, pull it out with adb and decompile it the usual way?
• Assuming the mechanism worked: What about backup applications (like Titanium Backup), or with manual apk backups using adb. Will they still work?
• Performance: some apps might have a considerable apk size. Does this mechanism hamper performance? Does the OS decrypt the whole apk everytime it is loaded?

Thanks in advance

UPDATE:
Edit to include links to Google Code issues.
Issue 34880 (closed but with some devs still complaining; status: future release)
Issue 35962 (closed; status: released)

UPDATE #2:
Interesting info on this blog post linked by one of the developers in the first issue. Also here in German.

Users and developers report that in the last few days the problem appears to have disappeared for applications installed using the latest version of Google Play (3.7.15). Users who have previously installed problematic apps will need to uninstall and then re-download them free of charge. According to one report, the new version of Google Play now saves paid-for apps to /data/app again, meaning that Google has deactivated the copy protection feature for now. Google has not commented publicly on the problem. The bug is marked as medium priority, with a status of "FutureRelease" for a possible fix.

Answer 1

(Mumble, mumble, shrug, /me just sayin' ...)

Personally (a-n-d... from the point-of-view of someone who has somehow managed to make money from a commercial application for 23 years and counting ...), I would be FAR(!) more concerned about this:

Users who have previously installed problematic apps will need to uninstall and then re-download them ...

... than I would spend fixating on any "thoughts of piracy." (Nor, therefore, with any 'defenses' [sic] against them.)

A very good friend of mine once kept a very-expensive 12-string guitar ... in a cardboard(!) case ... fastened by the very-cheapest padlock that anyone could have procured. The padlock was, as he said: "to keep the honest people out."

"Well said, Robert ..."

A certain, minuscule, percentage of "people on this planet" might, indeed, "do whatever(!) it takes" to "crack the protection of" whatever-it-is that you wish to sell. [In my college days, I had a friend who positively collected Apple ][ floppy-discs, apparently for nothing more than the intellectual challenge of having "defeated" them.]

Such people are not your ¢-u-$-t-o-m-e-r-$!"

Therefore, I respectfully suggest:

• "Yes, 'put a padlock on' your guitar-case."

• ... but DON'T go out of your way to "try to prevent someone from stealing your guitar."

• ... because the (thousands(!) of!!) folks who paid you M-O-N-E-Y ... don't(!!) wish to be inconvenienced!! (Nor to imagine that they might, even concievably(!!), be: "distrusted!")

Think about it . . .

"You walk through the front-door of the store at the mall, [having just made a $300 purchase ...] and, (lo and behold!!) the Sensormatic system "complains loudly!!" What does the clerk (and the store manager) do? They wave at you!! "Have a nice day!"

[Even if they have no idea if you spent $300, or that you might be a thief ... they ... wave at you. If you're a thief, that's a matter for the insurance company. Best-bet is that you're a customer, who must(!) receive an apologetic but very(!) friendly wave-goodbye.]

In the real-world of "actual commerce," it PAYS to keep such things in mind!!

Trust me: "the simplest, most-trivially-defeated" token-lock will do. The one-and-only requirement is that: "it exists. At all."