9

Recently, I found my application is crack by some anti-lvl tools.

This tool could easily crack the "Android License Verification Library" in my application, and generate a new cracked apk.

It also provide lots of function hooks to prevent the developer from detecting their application is cracked. Such as get file length function or check signature function ...

Any one know how to defeat it?

Thanks.

dong221
  • 3,390
  • 6
  • 29
  • 31
  • If I am paying for an app, I would prefer to pay for features and value that the app provides to me, and not for paranoid protection schemes that will possible make the app slower, and which in general are hostile to me as a user because that makes negative assumptions on my intentions. I am *not* willing to pay for programmer's time spent on implementing protection schemes - I would prefer time and effort to be spent on improving the app, better tech support, etc. Release new versions that are *better* than the previous versions - this is the best 'protection' against cracking. – ccpizza Mar 09 '13 at 12:44
  • Make your app not to run on a **rooted** device. And, check if the unwanted anti-lvl tools are installed on the device. –  Jul 22 '17 at 05:34

3 Answers3

10

I don't like the standard response of "go check the google i/o presentation" simply because many of the techniques mentioned are defeated by antilvl. It is bad advice in my opinion as the topics, such as reflection and crc checking are already defeated.

Doing further research on antilvl, i came across the svn trunk to antilvl, with a very descriptive hint in a readme.txt file. Here is to prevent antilvl according to the author, prettied up by me. this will return true/false depending on the presence of smaliHook.java, which antilvl uses to hook normal package checks. This only works as a first line of defense, since the class name could be changed with a modded version of antilvl which is likely circulating somewhere. This is a good first check however, since it will defeat the average script kiddie.

protected boolean isAntiLVL(){
    try{
        Class.forName("smaliHook");
        return true;
    }catch(Exception e){}
    return false;
}
ThumbsDP
  • 543
  • 6
  • 18
  • Good point, this is a very fair compromise between additional effort and user experience. It won't affect performance and there's no reason it would accidentally detect a licensed user as unlicensed. – Tom Jun 20 '12 at 15:56
  • This doesnt work anymore. Probably they changed the name. Can you come up with the current filename? – tobias Jun 23 '13 at 17:16
  • 2
    The lvl now generates it randomly. Is not possible to guess the name - every run of antilvl is different. – marekdef Jun 30 '13 at 21:18
7

In general - there is no way to fully protect your application in the wild. User might have root access on his/her device and then all bets are off. You can introduce some manual "hackarounds", but if your app is a high-profile one, you will be cracked anyway.

Its just power-play between you and crackers. And if you fight crackers too hard you might hurt your fair users as well.

inazaruk
  • 74,247
  • 24
  • 188
  • 156
  • Yes, you're right. But this kind of general cracking tool will let anyone to crack any android applications without any background knowledge. It's very harmful for developers. – dong221 May 13 '11 at 11:54
  • 1
    If you read the first paragraph of the AntiLVL site you'd get the hint - use custom anti-tempering methods that are not accounted in that tool. I'm not even sure if that possible in Java and what overhead is (c/c++ is much easier for this), but anyway it will require some time, skills and bugs in this functionality will frustrate your users quite a bit. – inazaruk May 13 '11 at 13:10
3

I'd also refer you to check out this from Google I/O 2011:

Taken from: Avoid apk cracked

Thought it may be very useful to you!

Evading Pirates and Stopping Vampires

http://www.youtube.com/watch?v=TnSNCXR9fbY

EDIT The Presentation Notes: https://docs.google.com/viewer?url=http%3A%2F%2Fwww.google.com%2Fevents%2Fio%2F2011%2Fstatic%2Fpresofiles%2Fdgalpin_android_pirates_and_vampires.pdf

Some basic keypoints

  • Modify the LVL
  • Implement LVL Tamper Resistance
  • Use obfuscation
  • Use reflection
Community
  • 1
  • 1
TryTryAgain
  • 7,632
  • 11
  • 46
  • 82