Licensing Server News

It’s been reported that someone has figured out, and published, a way to hack some Android apps to bypass our new Android Market licensing server. We’ll be saying more on this, but there are a few points that deserve to be made right now:

  • The licensing service, while very young, is a significant step forward in terms of protection over the plain copy-protection facility that used to be the norm. In the how-to-pirate piece, its author wrote: “For now, Google’s Licensing Service is still, in my opinion, the best option for copy protection.”

  • The licensing service provides infrastructure that developers can use to write custom authentication checks for each of their applications. The first release shipped with the simplest, most transparent imaginable sample implementation, which was written to be easy to understand and modify, rather than security-focused.

  • Some developers are using this sample as-is, which makes their applications easier to attack. The attacks we’ve seen so far are also all on applications that have neglected to obfuscate their code, a practice that we strongly recommend. We’ll be publishing detailed instructions for developers on how to do this.

  • The number of apps that have migrated to the licensing server at this point in time is very small. It will grow, because the server is a step forward.

  • 100% piracy protection is never possible in any system that runs third-party code, but the licensing server, when correctly implemented and customized for your app, is designed to dramatically increase the cost and difficulty of pirating.

  • The best attack on pirates is to make their work more difficult and expensive, while simultaneously making the legal path to products straightforward, easy, and fast. Piracy is a bad business to be in when the user has a choice between easily purchasing the app and visiting an untrustworthy, black-market site.

Android Market is already a responsive, low-friction, safe way for developer to get their products to users. The licensing server makes it safer, and we will continue to improve it. The economics are already working for the developers and against the pirates, and are only going to tilt further in that direction.

A Little Too Popular

A couple of weeks ago, we arranged that registered developers could buy an unlocked Nexus One via their publisher page in Android Market. We think it’s a good development platform and a nice phone. Apparently, you agree. Somewhat too many of you, in fact; we blew through the (substantial) initial inventory in almost no time, and they’re back-ordered from HTC, who are doing a pretty good job of managing runaway success amid a worldwide AMOLED shortage. Everyone appreciates that it’s important to the platform to get phones in the hands of developers, so we’re working hard on re-stocking the shelves; stand by.

Two Simple Questions

And the answers to them, posted here and there by senior Android engineers.

How much memory is my app using?

Over at Stack Overflow, our own Dianne Hackborn takes this up in detail. There's no simple answer, but Dianne does offer lots of useful information.

How do I make a ScrollView behave?

This one does have a simple answer, and our Romain Guy offers it in ScrollView’s handy trick. It's easy enough to do once you know how, which is harder to find out than you might think, because there's one useful XML attribute that's there in the examples but missing in the docs. Oops!

Powering Chrome to Phone with Android Cloud to Device Messaging

[This post is by Dave Burke, who's an Engineering Manager 80% of the time. — Tim Bray]

Android Cloud to Device Messaging (C2DM) was launched recently as part of Android 2.2. C2DM enables third-party developers to push lightweight data messages to the phone. C2DM created a nice opportunity for us to pull together different Google developer tools to create a simple but useful application to enable users to push links and other information from their desktop / laptop to their phone. The result was Chrome to Phone - a 20-percent time project at Google.

Chrome to Phone comprises a Chrome Extension, an Android Application, and a Google AppEngine server. All of the code is open sourced and serves as a nice example of how to use C2DM.

The message flow in Chrome to Phone is fairly typical of a push service:

  1. The Android Application registers with the C2DM service and gets a device registration ID for the user. It sends this registration ID along with the user's account name to the AppEngine server.

  2. The AppEngine server authenticates the user account and stores the mapping from account name to device registration ID.

  3. The Chrome Extension accesses the URL and page title for the current tab, and POSTs it to the AppEngine server.

  4. The AppEngine server authenticates the user and looks up the corresponding device registration ID for the user account name. It then HTTP POSTs the URL and title to Google's C2DM servers, which subsequently route the message to the device, resulting in an Intent broadcast.

  5. The Android application is woken by its Intent receiver. The Android application then routes the URL to the appropriate application via a new Intent (e.g. browser, dialer, or Google Maps).

An interesting design choice in this application was to send the payload (URL and title) as part of the push message. A hash of the URL is used as a collapse_key to prevent multiple button presses resulting in duplicate intents. In principle the whole URL could have been used, but the hash is shorter and avoids unnecessarily exposing payload data. An alternative approach (and indeed the preferred one for larger payloads) is to use the push message service as a tickle to wake up the application, which would subsequently fetch the payload out-of-band, e.g. over HTTP.

The code for Chrome to Phone is online. Both the AppEngine and Android Application include a reusable package called com.google.android.c2dm that handles the lower-level C2DM interactions (e.g. configuration, task queues for resilience, etc).

Chrome to Phone is useful, but maybe it’s most interesting as an example of how to use Android C2DM.

Nexus One Developer Phone

We've always offered unlocked phones for direct sale to registered Android Developers. As of today, the Developer Phone is the Nexus One, at a price of $529. To see the details or order a phone, you need to sign in to your Android developer account and click on the "Development Phones" link.

The Nexus One combines an up-to-the-minute platform (Android 2.2), modern hardware, and the pure Android software suite. It's a good choice both for people who want to build Android applications using either the SDK or the NDK, and those who want to experiment with modified versions of the Android platform. Note that the Nexus One still ships with Android 2.1 but will download 2.2 soon after you turn it on; make sure you’re near a fast network.

As well as being an outstanding developer platform, it's a really nice everyday phone; we're really happy to have connected the right dots to make this happen.

[Update]: A bunch of people have spoken up wondering about Nexus One accessories. They are available right now in HTC's European online store. When we get more news, we'll pass it along.

[Update, Aug 6th]: The HTC US store now has accessories too.

Best Practices for Handling Android User Data

App listing that includes link to privacy policy

Make sure that your app's listing includes a link to your privacy policy.

By Nick Kralevich, an engineer on the Android Security Team

As the use of mobile applications grows, people are paying more attention to how these applications use their data. While the Android platform contains extensive permissions designed to protect users, application developers are ultimately responsible for how they handle users’ information. It’s important for developers to understand the code they include, and consider the permissions they request, as mishandling these issues can result in users perceiving a violation of trust.

Maintaining a healthy and trustworthy ecosystem is in every Android developer’s best interest.

Here are a few tips for writing trustworthy Android applications:

  1. Maintain a privacy policy

  2. Minimize permissions

  3. Give your users a choice regarding data collection

  4. Don’t collect unnecessary information

  5. Don’t send data off the device

  6. ... but if you have to, use encryption and data minimization

  7. Don’t use code you don’t understand

  8. Don’t log device or user specific information.

Maintain a privacy policy

Trustworthy applications are up-front about the data they collect and the reasons for collecting it. Users are generally happy to share information via such apps if they believe they will personally benefit. A clear and concise privacy policy, with details about the type of information collected and how it’s used, goes a long way towards generating trust and goodwill. You can link users to your privacy policy right from your app's Google Play listing — visit the Developer Console to add the link.

An app's permissions shown in the Settings UI.

Make sure that your app requests only the permissions that it actually needs.

Minimize permissions

Android is unique among mobile operating systems for its simple, straightforward, operating-system-enforced permission model. All Android applications must declare the permissions they require, and users must approve these permissions before the application is installed. Users tend to distrust applications that require excessive permissions.

For example, a user installing the tic-tac-toe game at left might reasonably wonder why it needs to take pictures.

Give your users a choice regarding data collection

It’s called the paradox of privacy [PDF, 890K]. Users are often happy to share their information, but they want control over that sharing. Trustworthy applications give users control over their information. For example, the Android Browser has privacy settings which enable users to control how their information is shared.

Don’t collect unnecessary information

Trustworthy applications limit the kinds of data they collect. Collecting unnecessary information, especially if you never use it, just invites suspicion. When in doubt, don’t collect it.

Don’t send data off the device

If you have to handle user data, ensure that the data remains on the device whenever possible. Users are comforted knowing that their private information strictly resides in the phone. Sending data outside the phone, even if done for the user’s benefit, tends to draw suspicion.

... but if you have to, use encryption and data minimization

Sometimes, the collection of data is necessary. In that case, applications need to ensure that it is handled safely. A privacy policy will avoid leading to surprised and irritated users; in some cases, it may be advisable to prompt the user before transmitting data off-device.

First, minimize the amount of data you collect. Do you really need the user’s full phone number, or would the area code be sufficient? Can you use a one-way cryptographic hash function on the data before sending it to the server to help protect the user’s confidential information?

User settings for managing data

Put users in control by letting them manage how your app handles their data.

Second, encryption is critical to the safe handling of user data. Phones often operate on untrusted networks where attackers can sniff confidential traffic. Encrypting data in transit is a critical part of protecting user information.

Finally, when communicating with a server over HTTP, it’s a good idea to avoid encoding user information in a URL that is used with HTTP GET; rather, POST it in a message body. While using POST doesn’t guarantee that your information won’t be sniffed, putting it in the URL increases the likelihood that it will be automatically logged; out of the box, most web server software logs all the URLs that are received.

A case study: User Favorites

Suppose you want your app to maintain a list of “favorites” for each of your users, without going through a full registration process. In theory, you could do this by sending your server some combination of their phone number, device ID, or SIM ID. But why take the chance of worrying people about privacy issues; why not send a one-way hashed signature of whatever the identifying information is? Or even better, create a random unique id and store it on the phone, and use this unique id as the registration key for your application.

In the end, you’ll will still be able to retrieve their favorites, but you won’t need to send or store anything sensitive.

Don’t use code you don’t understand

In the open-source Android environment, it’s common (and good) practice to rely heavily on other people’s code, in the form of libraries and frameworks. But if that code is handling your users’ information inappropriately, it’s your problem. So make a point of checking code before you rely on it.

Don’t log user or device specific information

Application developers should be careful about on-device logs. Android makes it easy to write to the phone’s log, and anyone who has looked at “logcat” output knows that it is full of important but seemingly random debugging information from many applications. In Android, logs are a shared resource, and are available to an application with the READ_LOGS permission (only with user consent, of course!). Even though the phone log data is temporary and erased on reboot, inappropriate logging of user information could inadvertently leak user data to other applications.