My first paid Android app was mercilessly cracked within 1 day, which made me realize how pathetic LVL security is.
My next app will monetize with managed in-app purchases of content, which seems more secure than LVL because in-app purchases are signed with a private key that can be verified by my content server. My app can be cracked and redistributed easily but my content server cannot. (I know nothing is absolutely secure but this approach looks better than LVL).
It seems to me the only way to crack in-app purchases is to:
- Hack my content server
- Crack my private key
Are in-app purchases more secure than LVL or am I being naive? Is the private key easy to crack?
Thanks in advance...
It is indeed harder to crack because LVL is already known and methodology of how to crack it (even automated) is already widespread. However, in-app purchases are technically not more secure unless stuff is actually downloaded from your server that is necessary to operate the blocked features (e.g. code.) The reason is, anything your app can do, people can examine, and people can do themselves, even in modified versions of your code. For example, you may verify with the server over SSL that the owner has made a purchase, but a malicious attacker could always remove that code and just make the application act as if the server OK'd it. If a private key is downloaded by your application, a malicious user could find a way to impersonate your application and download it, etc.
There is really no 'uncrackable' software. Only services can be relatively safe from piracy. Therefore, if you want to avoid piracy, you should write software where the product is the service instead.