Android Game Keeps Getting Hacked [closed]

Answer 1

What an interesting and disturbing question. :-) As an exercise, you might try releasing an app through Amazon; they have their own DRM mechanism; I wonder if it works any better than ProGuard...

Answer 2

Android users are just going to have accept the pain of constant phone-homes. The only secure Android app is an always-connected Android app.

This is, in large part, due to Google's refusal to lock-down the installation, like Apple has. On IOS you have to jailbreak the phone. On Android you can load any APK on a stock, factory install.

Keep some/most/all your content on the server; deliver it in chunks; validate the license/session on each call.

Answer 3

I know you're not really into obfuscation, but I really need to react to this:

From here, I don't want to obfuscate our code as I have seen it broken before. I want something a little more solid, and I also want to learn how to do this properly.

ProGuard is very reliable in my experience, and this although I use a couple of advanced features such as AIDL and some native code which calls Java method.. It takes a little work to read the documentation and do things properly, but once you're there ProGuard is extremely reliable and also optimizes your app.

Custom security/cryptographic tricks are good, but without obfuscation it's like throwing a stone in the water in my humble opinion.

I've used ProGuard in production for many months, and it just works flawlessly.

If you're into learning, then read the ProGuard manual carefully, experiment with it, and inspect its output logs.

Answer 4

Taken from my solution from this post Avoid apk cracked

Implement your own licensing library

I'd also refer you to check out this from Google I/O 2011 YouTube recording:

Evading Pirates and Stopping Vampires

EDIT:

The Presentation Notes from Evading Pirates and Stopping Vampires

Some basic keypoints

• Modify the LVL
• Implement LVL Tamper Resistance
• Use obfuscation
• Add reflection

Answer 5

One of the key elements in my opinion is to spread out the code so it's not all in one place. If you have a function called LicenseChecker.checkLicense() which retrieves the license and checks it, you can be sure it will be disabled promptly.

The one advantage you have is that the crackers cannot see the comments of your code (and, if you obfuscate, method/variable names), so come up with something weird. In the onCreate() of one activity, you get the license ID. In onResume(), you get another value to check it against. Maybe create a thread and do some checks there. And then, some other irrelevant piece of code (maybe the player control) might pick up the value and compare it and store the result somewhere. Then three other irrelevant pieces of code will all independently check that value and disable your application if it doesn't match.

Now I should say upfront that this can cause headache for yourself - obviously, cluttered, nasty code is harder to debug and prone to cause errors. Worst case, you create false positives in legitimately purchased applications.

And, of course, everything can be reverse-engineered - once the crackers find the place where the app is disabled, they trace back the value that's being read from. They could then trace back where it's being stored, and trace that back..... or, much easier, they can just disable the final check (which is why I recommended 3 different places, all triggering delayed). Security is only as good as the weakest link.

You will not be able to stop piracy. Your best bet is to delay the spreading of a pirated copy until the initial hype about your app has calmed down.