Passive/Aggressive Anti-piracy for Android Indies.

Passive/Aggressive Scuttling

Here is an easily hidden technique I call 'scuttling' that works for android apps deployed to Google AND Amazon. Scuttling is front-end piracy detection by the app. What to do once detected is in the purvey of the app creator.

If your app was installed from any source other than Google or Amazon, scuttle() returns true.

    // Dont just copy/paste this code - that is what automated crackers look for - cludge it!
    // No network communication is required at runtime.
    // myPackageName should decode at runtime to "com.yourpackagename"
    // google        should decode at runtime to "com.android.vending";
    // amazon        should decode at runtime to "com.amazon.venezia"; 
    
    public boolean scuttle(Context context, String myPackageName, String google, String amazon)
    {
      //Scallywags renamed your app?

      if (context.getPackageName().compareTo(myPackageName != 0)
        return true; // BOOM!
 
      //Rogues relocated your app?
     
      String installer = context.getPackageManager().getInstallerPackageName(myPackageName);

      if (installer == null)
        return true; // BOOM!

      if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
        return true; // BOOM!
    
      return false; 
    }

RESULTS

The following screenshot was taken from google analytics showing a pirated tracked free app from playstore (com.android.vending) that was redeployed with aggressive scuttling (non-playstore installs detected and terminated -BOOM!). Non-playstore (not-set) tracking drops. Tracking was not required, but enabled for these measurements.

DISCUSSION

Note service (app) signing plays a role in scuttling:  The package manager enforces unique package names with unique signatures. This prevents installation of any com.android.vending download service other than the one that comes with android.

This presents the question of what to do when the app is scuttled (pirate detected by the app). Piracy is a form of viralization (uncontrolled distribution) of your app. It is already detectable by enabling the analytics tracking back-end. Scuttling allows the app creator to customize a front-end response with or without tracking.

Aggressive scuttling is obviously detectable by pirates (BOOM!). This encourages further cracking. Passive scuttling is far less obvious, but may involve tracking.

Piracy may not be preventable but it is predictable, detectable, and trackable.

Tracking can present insurmountable problems to pirates, but also presents it's own ethical issues.

Agressive scuttling requiring no network communication as outlined above is perhaps the best solution. It is easily hidden (unlike licensing) and can be tailored to be as unobvious (passive) as possible.

A passive-aggressive scuttling example that involves the network might be using the new scoreTag metadata in googleplay leaderboard api to store whether the game was pirated. GA/UA tracking not used.

I would like to especially hear from the ethics crew about the following:

In a passive-agressive scuttling scenario, authorized installs are not tracked.

Pirated installs however, are tracked up the wazoo. Otherwise no difference in app behavior.

So, instead of crackable licensing, the app creator accepts tracking data as a kind of payment.

Q: Is it still piracy if tracking is received in lieu of payment for unauthorized installs?

Q: Does tracking in lieu iof licensing an imply authorization?

Q: If pirated installs become a valuable and viral distribution and analytics channel is it still piracy? Is this still an anti-piracy measure? Would this promote piracy? Does this actually redefine piracy?