Android Market DRM busted < 12 hrs!

Well paid applications have officially rolled out, or rather – reached my phone through the android market. The first thing I wanted to find out, is what is the protection scheme used?! My first assumption is that it might be something tied to your account, or android id – something sort of like SlideLOCK which I previously mentioned. So after looking around the market I downloaded a few applications and I also decided to download some “protected” free applications. Mainly I wanted free applications to toy with, so I didn’t feel bad possibly violating paid ones πŸ™‚

The programs I’ve started with where Inaugural Address 2009 and Phandroid News. Both are “protected” applications. What does this mean exactly? After a little digging it was clear exactly what “protected” actually meant;

Location, location, location!

Location, location, location!

So first I checked as you can tell, the SD card. Originally I was checking posts at xda-devs and someone posted that they where located on the SD card and where .zip files. This is false, the packages are .apk and located in the /data/app-private folder as you can see from the screen shot above. Well, what does this mean exactly? This means a non protected app, which is stored in /data/app can be pulled using adb, while a protected app is located in /data/app-private is not allowed to be pulled by adb.
Though… with a rooted phone – this isn’t exactly a problem since it can pull any file!

Alright, so what? Isn’t there some more protection involved in this?!

Sadly, that’s what I (wrongly) assumed too. What I assumed was that there would be some more protection other than just things being “protected” in a folder. Possibly, it being linked to the android id? Maybe it not being able to be installed on another device or through a “non-market” source. Or maybe the market would track it, since it does for updates on market installed applications… Well, sadly, no – no other protection seems to be present.

All “protected” applications can be dexdumped like a normal one, can be pulled (as long as you have a rooted phone), then reinstalled. The even worse part, is that protectd applications don’t stay in the protected folder when installed via a web download or adb install. They simply get pushed into the normal /data/app folder… Some protection huh? Oh, and my first assumption that the market might look for these also appears to be false. The market does not check any applications installed from an “unknown source” – so that idea for protection is a complete bust.

C:\Documents and Settings\tstrazze\Desktop\eclipse\android-sdk-windows-1.0_r1\t
ols>adb install phandroidnews.apk
374 KB/s (0 bytes in 1286982.003s)
pkg: /data/local/tmp/phandroidnews.apk

C:\Documents and Settings\tstrazze\Desktop\eclipse\android-sdk-windows-1.0_r1\t
ols>adb shell
# cd data
cd data
# cd app-private
cd app-private
# ls
# cd ..
cd ..
# cd app
cd app
# ls

What sort of makes this whole ironic deal even odder, is the refund policy. Within twenty-four hours of a download, you are allowed to uninstall and get a full refund of the product you purchased. So you could theoretically just rip all the applications you want, not that I am suggesting this at all.

Want to try this process? Well I’ve uploaded inaugural address to my site for testing. This is the protected application that is free on the market. As you notice it will install to the /data/app directory, not the /data/app-private directory. I’ve tested this process with multiple application on my rooted G1, and a friend also verified that installed “protected” applications through an unknown source also works on thier stock G1 (non-rooted). (If the author wants me to remove this, I will gladly do so – I just wanted an example and figured a free application/free service would not mind the attention)

So what are developers to do? Well, recently I bashed on the SlideLOCK in a previous post… Though – the more I looked at it, this seems like the best option for developers to protect their applications. Though, hopefully google will remedy this solution and fast. Until then though, strike-one google market.

Edit: The author of phandroid news asked me to remove his application, so I have. In it’s place I’ve uploaded the inaugural address 2009 application unless that author would like me to remove it.

Edit2: To clarify, I’ve tested this with a free PROTECTED application. This is NOT the same as a free non-protected application, at phandroid he shows what the step looks like to have a “protected” application opposed to a “non-protected” one. Also the protected applications appear to be identical to the paid applications, which are also protected.

  1. wow. just wow.

  2. That is very interesting. I’ll have to check that out when the roll out hits my phone.

  3. Check your email.

  4. no!! i refuse to believe google is this stupid…

    oh wait… it really worked..

  5. But does this work for ACTUAL paid applications?

    For all we know, google may have just not protected free apps the same way as paid ones since people could try experimenting with the free ones to find a backdoor.

    I’ll try this myself (eventually) on my rooted G1 using some paid app that I’m probably going to buy anyways and then refund it.

  6. Unk,

    Yes – it does work on paid applications. The protection method is the same.

  7. Wow… but the thing is, even if you can “crack” these apps, you still need to buy them (or have someone else buy them) if you want to get any of the updates since you can only get a refund once per app.

  8. wow… this seems a bit too fishy. its like google wants the apps to be abused. i smell an android section at pda4x. its back up and running just in time for pirates.

  9. Hmmh, maybe this is a temporary issue. From my point of view every activity from communication to deployment and operations of the Android Market has been non-optimal to say the least. I sure hope they will learn, but I also think that permanent damage has been done already, e.g. only letting US and UK developers into the market and becoming the category winners before the rest of the world is allowed to join the competition.

    Anyway, I am ranting, it says on the configuration dialog: “On (Helps prevent copying of this application from the device. Increases the amount of memory required by users to install the application)” … How would that be true, if it is just another directory? Maybe they just didn’t get the proper mechanism in place yet?

  10. Hey Tim, it would be great if you could give an example of a paid app, not necessarily a how-to, just a proof that it can be done.

  11. This makes no real difference.

    Most phone apps are so cheap that for the vast majority of people they will prefer to simply pay to get the app.

    The beauty of phone apps is that with millions of customers buying primarily on a whim an app developer can afford to sell them so cheap that the desire to pirate the applications is much less.

  12. Hi, I don’t think all application ‘re in apk file type, I found some app in zip file (all EA game, all gameloft game)

  13. If you’re looking for a paid app to crack wide open that no one will give a stuff about being spread all over the net heres the ideal candidate: http://news.cnet.com/8301-1035_3-10170331-94.html?goback=.hom

  14. Tim,
    I don’t mind that you use my app, Inaugural Address USA 2009, as a demo. We are all trying to learn this new platform (including google staff apparently) and your work is important in helping us learn faster. The most effective way to learn is the public way so I understand the benefits of your work.

    Feel free to use the full package name, which includes *simplecode*. I might as well get some direct exposure.

    I cannot see any priced app on the market from my rooted phone, a dev phone 1. Can you see them from your rooted phone?

    The app that you used here, Inaugural Address USA 2009, was first published as unprotected, therefore this example is not fool proof, i.e., you could have gotten the app before I protected it. I’m not saying that you did that, I’m just saying that this example is not definite evidence. I’ll let you know when I publish my next free protected app.

    Btw, did you break my encryption yet?

    Good work, keep it coming, as I’m sure you will.

  15. so i tried copying midnight bowling to my sdcard and it worked perfectly, however now that i try to install it it shows up as “android system” and it says it will replace an application i already have installed, i already uninstalled and got my money back for midnight bowling so why would it be replacing something unless it is indeed replacing the android system. The file i copied over was “com.gameloft.android.MPL2.apk” anyone know whats up with this?

  16. Tim,

    Would I be correct in concluding that your rooted phone is a jailbroken G1 and not a dev phone (ADP1)?


  17. @ Chris

    You shouldn’t be reinstalling refunded games – that’s pirating.

    @ serge

    Yes I have a rooted G1 opposed to a developer G1

  18. Thanks for that news. It’s scary how easily this DRM protection could be circumvented!

    @Simplecode, inc.
    Paid applications only work with R33, which is currently only available in the US. For paid applications to work, it’s necessary to have the 1.1 SDK/Framework on your phone.

  19. I’ve tried this only for the purpose of experimenting with it. however, if someone does this, they have no way to update without actually officially buying the app. so one way or another you end up buying the app.

  20. Tim,
    Have you been barred from Android groups?

  21. @tim

    I was doing it for testing purposes only, i was not pirating.
    oh but thanks for the help!!!

    I think i figured out why this happened, so in case anyone wants to know, if a developer created an app and doesn’t name the .apk the same as what they name it on the android market it will not install correctly(i think) i’m not positive about this i just did some googleing and found some developers having that problem while they were trying to test their application.

  22. Hey very nice blog!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also…

  23. Google does not offend your prospect?

  24. very inspiring stuff πŸ™‚ Just subscribed to your feed.

  25. I bookmarked this site, Thank you for good job!

  26. how the hell are you supposed to get this to work

  27. I cant get it…please email me

  28. i tryed all day to do this it seem to not be workin for me can u post a video for me so i can look at it

  29. Thanks for all thee info. ..I’m having a problem with my Droid. Cynaogen 505 I installed and did not back up recovery. I am new to this and was having a lot of fun.. until I noticed the rom was a cdma I have a legitimate account with Verizon. I can’t get b
    ack to android market and get the Apps I need to fix my phone.Cynoagen has the rom signatured and I can’t change back to stock 2.0.1 when I apply my back up file that I copied when I first rooted my phone.I used a rom manager from android market and did not back up my files before I flashed….please write me and let me no if there is anyway I can fix this mess.I thought since I was already rooted I would be OK I’m not the only one who is having this problem. I can’t sighn in to the Google Account. It keeps saying can’t establish data after I try to sighing in. …thus I can’t get to market or maps or navigation everything else seems to be OK..



  30. What the f, I still don’t know what rooted is, I just don’t want to pay for anything over 99 cents. I was looking for a free copy of gde and this was googles first search result.

  31. How about this
    look for the application

    it has multiple protections it seems
    times out after so many minutes
    to register you pay via google payments and get a google confirmation number
    inserting the number into the app makes it work

  32. Hey

    I dont get what im supposed to do to get the apps for free. Could you mail me?thanks! πŸ™‚


  33. You can also get root explorer and simply transfer files to your SD card. Uninstall and Refund them and also transfer them over basic usb from sdcard to computer.

  34. You don’t need to do all of this. Root your phone, get root explorer, find APK, copy it, put it on SD card. u&r and then reinstall from sdcard. Bam, done, all from the phone.

  35. hello
    i just bought a china ipad 10.1″. i guess its locked it wont let me put any apps not bought from the store. i need a good movie player, e-type reader, and a bluetooth app.
    any help out there.

  36. Are you serious? I disagree with your information. Tell me what you enjoy about these things?

Your Name Email Website