Yesterday, Carl Howe of the Yankee Group gave a Webinar about Android Pirates. Whazzat? Android pirates in Cyberspace? We’re all familiar with the very real problem of software piracy. We’ll, it’s spread to apps. In fact, the very nature of smartphone apps make them easy to pirate, at least technologically. But first, Howe looked at the scope of the problem.
On average, according to Yankee Group data, Android phone users download an average of five apps per month. Me, I’m on the bottom end of that scale. I download perhaps one app every five months, but then I no longer reside in the demographic sweet spot for this sort of thing. In any case more than 90% of those downloaded apps are free apps. Nevertheless, there is real money being lost here.
Location-based smartphone tools developer Skyhook ran a study to scope the problem. The company used an online survey and invited 250 top smartphone app developers to participate. Exactly half of the developers reported that their apps had been pirated. Of those, a little more than half reported that the estimated losses due to piracy were less than $10,000. However, 25% reported losses of between $10,000 and $100,000 and 7% reported losses of more than $100,000. Losses come from increased support costs, increased licensing costs, and increased server costs. This is not a “victimless” crime.
Why is this happening? Because it’s easy. Howe noted that it takes less than an hour to pirate a smartphone app. That’s because the vast majority of these apps use interpreted Java byte code, which is easily decompiled, modified, and then recompiled. Once decompiled, some simple text substitution to replace the actual developer’s name with the pirate developer’s name followed by a recompilation is all that’s needed to create the new, pirated version of the app. Then the pirate submits the app for certification and inclusion into the Android market. There, now you too know how to pirate an app.
Apple’s app ecosystem also has some piracy, but Apple acts as a much stricter gatekeeper for it’s App Store. Apparently, Google’s policing is more lax, for now.
Howe suggests several fixes for the problem. First, he recommends a stricter market certification for Android apps. Then he suggests adding payment receipts, essentially certificates of purchase that live on the user’s smartphone to authenticate the app. This step will cut down on the problem of people “returning” pirated apps to the original developer for fraudulent refunds. (Yes, that actually happens.) He also suggests adding code obfuscation and tamper-detecting signatures to the app code as a default compilation mode.
The entire Webinar lasts about 40 minutes and you can listen to it yourself. Here.