Saturday, 1 December 2012

What is Android application licensing?

I ran into this permission this morning:

com.android.vending.CHECK_LICENSE

What it means is that the app will check with Google play (aka android marketplace) that the app was bought by the user that is now running it. The application holds the public key and uses this to check the "check_license" response from Google.

Is it possible to mess with this process? Well it would depend on where the public key is stored and how Google implements the process (including obviously security of transmission).

One thing that immediately stands out is this following piece of advice from Android themselves:

A typical implementation would extract some or all fields from the license response and store the data locally to a persistent store, such as through SharedPreferences storage, to ensure that the data is accessible across application invocations and device power cycles. For example, a Policy would maintain the timestamp of the last successful license check, the retry count, the license validity period, and similar information in a persistent store, rather than resetting the values each time the application is launched.
Sharedpreferences is only secured by using the sandbox model. This means any rooted devices would permit the user to alter these values simple by editing the .xml file.

What Google have done to allow developers to defend against this is to create AESObfuscator. This encrypts the data using the Android ID as the key. Obviously this is still recoverable by the user, but certainly makes it take a little longer to perform.

I can foresee two attacks coming out of this.
 #1 - Applications on 3rd party app stores stating they can "unlock" licensed applications. They would require a r00ted device to work and could do all sorts of nefarious things in the background. Because they would not be allowed on Google Play, they would have no checking and could contain malware.

#2 - Applications implementing their own obfuscation/ trusting license info input. Their is a long history of Android applications assuming the best about files in their own sandbox and implementing their own logic and functions when using the data contained. It allows attackers who can overcome the sandbox (say by running on a rooted device) to inject data that is then used in the context of the app.

No comments: