Gamasutra: The Art & Business of Making Gamesspacer
arrowPress Releases
July 30, 2014
PR Newswire
View All
View All     Submit Event





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


 
Passive/Aggressive Anti-piracy for Android Indies.
by dominic cerisano on 02/11/14 06:29:00 am   Featured Blogs

The following blog post, unless otherwise noted, was written by a member of Gamasutra’s community.
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.

 

Passive/Aggressive Scuttling

Here is an easily hidden technique I call 'scuttling' that works for android apps deployed to Google AND Amazon. Scuttling is front-end piracy detection by the app. What to do once detected is in the purvey of the app creator.

  •  Aggressive Scuttling: Eg. Terminates or hobbles pirated app. Network communication not necessarily required.
  •  Passive Scuttling: No obvious app modification. Eg. customized back-end analytics tracking.

If your app was installed from any source other than Google or Amazon, scuttle() returns true.

    // Dont just copy/paste this code - that is what automated crackers look for - cludge it!
    // No network communication is required at runtime.
    // myPackageName should decode at runtime to "com.yourpackagename"
    // google        should decode at runtime to "com.android.vending";
    // amazon        should decode at runtime to "com.amazon.venezia"; 
    
    public boolean scuttle(Context context, String myPackageName, String google, String amazon)
    {
      //Scallywags renamed your app?
      if (context.getPackageName().compareTo(myPackageName != 0)
        return true; // BOOM!
 
      //Rogues relocated your app?
     
      String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
      if (installer == null)
        return true; // BOOM!
      if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
        return true; // BOOM!
    
      return false; 
    }


RESULTS

The following screenshot was taken from google analytics showing a pirated tracked free app from playstore (com.android.vending) that was redeployed with aggressive scuttling (non-playstore installs detected and terminated -BOOM!). Non-playstore (not-set) tracking drops. Tracking was not required, but enabled for these measurements.

DISCUSSION

Note service (app) signing plays a role in scuttling:  The package manager enforces unique package names with unique signatures. This prevents installation of any com.android.vending download service other than the one that comes with android.

This presents the question of what to do when the app is scuttled (pirate detected by the app). Piracy is a form of viralization (uncontrolled distribution) of your app. It is already detectable by enabling the analytics tracking back-end. Scuttling allows the app creator to customize a front-end response with or without tracking.

Aggressive scuttling is obviously detectable by pirates (BOOM!). This encourages further cracking. Passive scuttling is far less obvious, but may involve tracking.

Piracy may not be preventable but it is predictable, detectable, and trackable.

Tracking can present insurmountable problems to pirates, but also presents it's own ethical issues.

Agressive scuttling requiring no network communication as outlined above is perhaps the best solution. It is easily hidden (unlike licensing) and can be tailored to be as unobvious (passive) as possible.

A passive-aggressive scuttling example that involves the network might be using the new scoreTag metadata in googleplay leaderboard api to store whether the game was pirated. GA/UA tracking not used.

I would like to especially hear from the ethics crew about the following:

In a passive-agressive scuttling scenario, authorized installs are not tracked.

Pirated installs however, are tracked up the wazoo. Otherwise no difference in app behavior.

So, instead of crackable licensing, the app creator accepts tracking data as a kind of payment.

Q: Is it still piracy if tracking is received in lieu of payment for unauthorized installs?

Q: Does tracking in lieu iof licensing an imply authorization?

Q: If pirated installs become a valuable and viral distribution and analytics channel is it still piracy? Is this still an anti-piracy measure? Would this promote piracy? Does this actually redefine piracy?


Related Jobs

Gearbox Software
Gearbox Software — Plano, Texas, United States
[07.30.14]

Release Engineer
Turtle Rock Studios, Inc.
Turtle Rock Studios, Inc. — Lake Forest, California, United States
[07.30.14]

Technical Artist - Turtle Rock Studios
Nordeus
Nordeus — Belgrade, Serbia
[07.30.14]

Senior Game Designer
Technicolor
Technicolor — Austin, Texas, United States
[07.30.14]

Core Systems Engineer






Comments


Martin Edmaier
profile image
Really great Article you should make an unity plugin for it;)

dominic cerisano
profile image
My spidey senses (casual googling) tell me that this specific packagemanager functionality (protected by a signed service) is only native to Android. Other platforms can report the installer, but not in such a secure way (easily spoofed). This might be an area where Android simply 'got it right'.

Andy Lundell
profile image
I've recently been reminded that many "unauthorized installs" are by people who don't even realize they're connecting to an unauthorized store. They bought a weirdo tablet for cheap that's locked to some strange app store in Hong Kong. Understandably, they're surprised when developers are upset or confused that they downloaded the game!

I don't know how that effects the three questions you asked, but it implies to me that you'd better be very sure that your "scuttled" version runs properly. (or not at all.) You wouldn't want thousands of people posting to Facebook that your app runs slowly and crashes a lot!

SD Marlow
profile image
Yeah, I'm not in favor of breaking a game because it's most likely played by someone that has no way (or a very difficult way) of paying, or someone with a purchased copy trying to load it on a second device they own (family, friends, collage buddies... shouldn't matter if they know each other in person).

As to those questions... not sure why you would accept tracking as payment, but doing so not only implies authorization, you might be required to explicitly say that in the ToS/EULA. Yikes! And yes, if your tracking as payment, it's no longer a pirated copy.

A pirated copy can still provide data on game play and device type, but word of mouth is equally likely to encourage more pirating than more sales, and most of those sales will be from formerly pirated copies (if they like the game and are locked-out of online play or something where legit copy checking is stronger).

dominic cerisano
profile image
You would be an advocate of 'passive scuttling' then, requiring only the most subtle modification (eg - a periodic toast message stating that the app is unauthourized). As you say, users might not be aware of that.

Again, scuttling is a lightweight solution, easily implemented and hidden. Perfect for indies.

dominic cerisano
profile image
Scuttling is only detection of an unauthorized app. The app creator decides how passive (do nothing) or aggressive (blow up pirates) the response is.

Yes, this would prevent app copying, but that is actually an edge case - most users have no idea how to do that. However, you can always just log on to your buddies device, install the previously purchased app and log out, I believe.

Simon Ludgate
profile image
I recently had an experience that would make me, as a user, upset with aggressive scuttling, and it's due to the fact that the Play Store doesn't support past versions of apps. It seems to me that when you update an app or game and it stops working on your handset, you can't roll back to a previous version that does work. The past version, as far as I can tell, is completely gone, and the only option is to directly download the .apk and install it that way.

Although this hasn't happened to me with games, it has happened to me with apps. The ironic part is that these have been free apps with premium paid versions or IAPs, and while I had been satisfied using the limited free version legitimately, the only source of past (ie: working, compatible) versions of these apps I could find were pirated downloads.

Is there some more viable way to solve this problem? Actually offering support might be one (I did contact the app creator but never received a reply in my case). I don't know enough about the Android ecosystem to offer more ideas.

Regarding the ethics of tracking, there may be legal issues at play: even if a user has illegally pirated an app, that doesn't grant you the legal right to violate their privacy. You may have to include information about the tracking in the EULA. I don't know whether or not you'd also have to provide users information about when they're being tracked.

dominic cerisano
profile image
Excellent reply!

An interesting edge case. If an app creator is pushing out new versions that don't work, they have bigger problems than piracy. They probably are not testing on enough platforms.

Scuttling (afaik) works on all platforms, since it only involves the package manager, which is common to all, and stable.

So aggressive scuttling would enrage users of an app whose platform is suddenly no longer supported, providing very valuable hate-mail to the app creator to fix it.

The app creator could just publish the old version under a different name and allow complainants to become free beta users. Or something.

As for the ethics, it is important to note that solutions can be legal and still unethical. An ethical solution would prevent any unethical solution, by definition.

David Collier-Brown
profile image
My old company used to get new sales leads from the support team: when a customer called with a problem and they hadn't bought the product, we'd solve the problem, and give them our sales number. A significant number would call back and buy a copy in order to be "legit" when they reported problems. That included two schools who were using it for classes, somewhat to our surprise! We had to invent a site licence in the middle of a telephone call (:-))

On android when pushing out updates, I'd like to be able to send a newly-discovered user a message that says "This is a bug-fix update. We recommend you purchase a copy for further support"

dominic cerisano
profile image
Great example of "passive scuttling". Given the viral nature of android apps, it is hard to determine why a user has a pirated copy.

This example would involve a broadcast intent from the package manager when it installs an update.

The package manager is extremely well designed (works like rpm/apt/yum) and allows for an enormous range of business strategies for dealing with end users.


none
 
Comment: