Android and Piracy

Hi All,

Just a couple of questions...

For anyone that has released an app on Google Play. How do you feel about piracy and how its handled? Do you think there should be some form of DRM for apks? Do you feel like the 2 hours return policy (used to be 15 mins) promotes piracy and taking advantage of the system?

I didn't even know you could download an app from the Play store which sole purpose is to rip apks from downloaded apps. It seems to me that there is very little protection for the developer against such things, and no actions being taken against it. I understand that Android likes to be an open platform, and I appreciate the ease if being able to publish to it, but I can't help but think more can be done.

My game (which I'm not going to link to here because that's not what the post is about), is doing fairly well. It's up there on the new paid charts and climbing. It's only been out a week and a google search brings countless sites offering the free apk, hell there's even YouTube ads for the free apk! Looking at my stats I have around 4500 active users yet only 250-300 purchases.

What are everyone elses experiences in the matter?

Thank!

 

Well it is the most pirated platform in the history of mankind so there's that. You probably want to go with f2p. Unity's done a few blog posts on the subject so why not give those a read?

 

Thanks I took a look at those articles. I did hear that people were far more likely to purchase a 'premium' app on iOS than they are on Android. I might just see how it goes the next few weeks and then evaluate which model I should go with. But really my question was to see what peoples opinions/experiences are in the matter.

 

So the latest is I have approximately 15,000 active users and 1200 purchases. Of course, I'm happy the game is proving to be popular but I could really use that $$$! It might end up that I go the Ad supported route on android, purely because of these stats!

 

Those numbers are crazy. I had an idea of setting the game to be free but the user will have to buy it from inside the app with a in-app purchase. Don't know if it will work...

 

If you implement it corretcly, yeah. Generally, if you want to get some money, go for in app purchases or adds. Piracy rate is horrible on playstore.

 

I guess the only problem with the "buy the game from inside the app" is people that will not read the description and then give a bad review "because the app is not free!"...

 

Theire plenty apps out there which does it that way. Some free lvls and the rest is payed via IAP.
The only Problem i can imagine is, that the IAP gets impleneted poorly and its possible to crack the app fast.

If you want to test how secure your implementation is. I would be glad to help you out 4free. Just create an test apk and send it. Got some experience when it comes to reverse engeneering Unity apps =)

 

Thanks! My current game is already all over the web so no point in implementing that but for my next game I will do something like the IAP.

 

That's exactly what I was thinking of doing for my next app.

 

I am considering making a special double-encryption algorithm for my game that takes a key generated from the device information and a few other obscure things.

EDIT: Actually, I'm going to do that now, won't belong...

 

That sounds interesting =)

 

If I had those numbers, I'd be happy with the 1:10 ratio for now. Let the game's popularity grow, be patient, and cash in later.

Also-- what's your game's name? Are you not allowed to mention it on the forums or something? I wanna see what your hot new game is like!

 

If the number will generate on the first run, how will this prevent piracy? Pirated versions of the game will generate a number too. You're the coding genius here so please explain

 

Yeah, what imagoFX said. Won't you just have a record of 15,000 GUIDs, and still not know which among them were generated by paid versions of your game?

It seems to me unless the Play Store has a system for handling serial numbers, you need to make players register. However, if they've already paid/not-paid, then registration doesn't mean anything: pirates can register too. Maybe offer a free trial version, and then charge to unlock full features? Then you can collect your booty and register a user's details at the same time.

 

Oh, my system's different; I was able to plan out how it should work last night. (I am not revealing anything here though, simply to stop hackers getting a hold of this... ) It essentially is a special key that ONLY generates if the game was purchased, of which is done by sending the user account ID to a PHP script upon purchase. Likewise, if a pirate tries to grab teh APK directly from the server, no key will generate!

EDIT: That assumes google play can run PHP scripts: can it do that when an APK is downloaded?

 

Where do you want to upload the PHP to? We obviously can only upload apk and images to the play store.

 

You can only host php files on your own server. And acess the php sript in app after the app gots downloaded, not upon. But you could check if the app gots downloaded via playstore in script and then upload to the php script on first run. But yeah, honestly, its quite difficult to protect it against hackers.

Ive tested many different solutions and tried to crack them. Ive found no solution that took longer than around an half an hour to crack... It may take longer if someone dont know how you protected it, but reverse engeneering on android isnt a big problem. So it may takes an extra hour, but still no problem to crack imho. Concentrate on making an great game. Release it with IAP and multiplattform (android&ios and may windows phone).

 

Well yes, I did know that the PHP itself can't be hosted on google play servers. But what I wanted was the ability to have the PHP script invoked from it's location by the Google play store when that purchase button is clicked.

And IAP? Urrgh... Get me away from that toxic liquid!

 

Ok people, I have found a good method of hiding some part of the process; using AES encryption on the generated keys! I have a working AES implementation, courtesy of this link here: http://www.codeproject.com/Articles/769741/Csharp-AES-bits-Encryption-Library-with-Salt

I am yet to add the code that actually generates the keys used by the licensing system I'm building. on top of this; who want's to help crack it when I'm finished?

 

Im in Would like to test your security mechanism!

 

This is it, @bennyboy Cubix Challenge.

https://play.google.com/store/apps/details?id=com.ThinkertonGames.CubixChallenge&hl=en

It's definitely getting a good response from those that review it. Most of the negative reviews are either overly harsh because it doesn't have a feature they want or some other random issue (e.g. someone wrote that they loved it and it was a 5* game and pressed the 2* button). It's a slow paced puzzle game, I'm working on a free ad supported version with IAP unlock and adding cloud save at the moment. The iOS version is imminent also.

 

Me too!

 

@imagoFX, @128bit: Well then! Once I'm done, will let you lot know!

 

@FuzzyQuills Did you gave up on it?

 

No no, just have been terribly busy with other things, I am still a student in yr 12 after all... (Had formal last week to wind up term 2, so I can relax now. )

I actually got the key generation bits working when I began work on it. (The keys are fully encrypted too!) I am yet to find something truly unique on the android devices though, with the device ID being a possible solution, as that as far as I know is ALWAYS a unique identifier. (GPU ID might be too, I'm not sure about that one there)

Would using encrypted asset bundles be a good way of doing it too? I thought of a way of encrypting and signing the game data with a system-specific key so that the game won't run on a different device, should a pirate get a hold of the APK on the device itself.

If you want to find out a bit more, I should probably carry this into a PM conversation, because we don't need hackers snooping my data on this...

EDIT: found a hilarous typo, and corrected it. (Don't know where I'm going to get "thins" from to bring to a PM converse! )

 

Put as much as you can on the server or use a BaaS like GameSparks to manage as much of your data and game logic as possible.

With GameSparks you can create 'snapshots' of your backend, and you can configure these to allow only certain client versions of your game to connect. So if say version 1.02 of your game is pirated, launch your 1.03 snapshot, and don't allow player's to authenticate if they are using an older client version.

This is one of many approaches you can take to make a hackers life more difficult, eventually it will get to the point where they will rather target easier pickings.

 

That's actually an interesting way of doing it. I was thinking of putting all my game data in an encrypted form onto the device itself, and make it so ONLY that device can load that copy of the game. To actually download the asset bundles though needs a separate key to protect it form snoopers.

 

Why not just use Application Licensing? You can have your app check with the Google Play servers to see if the app was purchased from the Play Store. If you know how to write an Android plugin, this shouldn't be too hard to do.

http://developer.android.com/google/play/licensing/overview.html

 

Very easily crackable.

 

@FuzzyQuills have you abandoned the protection project as as a future android developer am looking for some secure protection, on that note some people on here have mentioned using in app purchasing instead of purchasing first, but is the in app purchasing not crackable aswell or is it more secure?

thanks in advance

 

Erm... why didn't these show up in my notifications?!

No, I haven't abandoned it, it's been on hold for a while now. Just been real busy with school and stuff, and on top of that, I don't quite have a game yet that would take advantage of it. I will definitely pick it up again though when the time comes, and yea, why not release it separately?

And IAP? that's like teasing a child with a demo, I'd rather not do it, IMO, and plus, I just found several tools that crack IAP engines wide open, although most of them target a specific list of games. (Not sure how one would hack into unity's however... maybe an app.isGenuine check on the IAP screen?)

Overall, I definitely agree with you that there's a need for a better system, and I have definitely laid down some of the foundations. (initial license key generation and AES encryption to name two of them. )

 

if you ever manage to get it working and gets good test result i would certainly purchase it as it seems at the moment with buy to play that you will end up with about 1 in 50 paying and 49 downloading free from the damn site cracking all the games from the play store, i am suprised that google are allowing themselves to be ripped of lots of income by not giving us a secure system for apk files

good luck

 

I'm taking a guess you found the one million exploits for IAP then.