最终，Android中对应用程序的内置保护非常差.这是您的***做法.

1)是，Google建议使用代码混淆，签名编码及其许可证验证服务器，以防止软件被盗.但是，它们的实现存在很大缺陷. APK必须运行的唯一要求是对它进行签名.不管是谁签名的.不会检查您的签名是否是与它签名的签名.因此，要破解它，您只需删除许可证检查并使用您想要的任何证书重新签名即可.然后，用户可以在选中允许非市场应用程序"的情况下将其加载到手机上.

请勿按原样使用Google许可.大量修改代码.添加一些在生成密钥时要使用的新参数.移动代码/重新设计代码.不要将Google许可库包含在库项目中.将其直接放在您的代码中.使代码尽可能简洁明了.添加什么也不做的函数，但是要动态修改值.稍后再进行其他将其转换回的功能.在整个代码库中扩展许可证验证.

如果不执行这些步骤，则可以自动破解代码.通过执行这些步骤，至少饼干需要花一些时间来手工破解它.最多可能只需要几个小时.但是，比立即破解标准的Google授权层要花几个小时.有些破解工具实际上只会自动下载新发布的android程序包，如果它们使用标准的android许可，请对其进行破解，然后将破解的APK上传到这些类型的网站.通过使您的实现不是普通的实现，可以使工作变得更加困难，而最终只需花费几个小时.

2)这是一种常见的抗裂技术.您可以根据需要在Android上执行此操作.但是它可能会在大约5分钟内破裂.如果您是Google，则有有关如何破解此特定技术的教程.基本上，您只需要在代码中查找CRC调用，然后在CRC返回后删除检查即可.

Android没有固有的安全性.您可以生根任何手机并下载APK.您可以轻松地破解APK以启用调试功能，而只需执行代码一步即可查看代码中存储的所有密钥.因此，最后，我不会在此上花费太多时间.保护Android应用程序是不可能的.我只是在上面的列表中做一些常识性的事情，然后继续.

3)如果您确实很偏执，可以在自己的许可服务器上实施自己的许可.这是我采用的方法，但并不是为了保护应用程序以防盗窃，它不是给我一种直接从我的网站上销售应用程序的机制，这样没有Google Play的用户仍然可以购买我的应用程序.>

I've just released an app, a paid app, 4 days later a user told me there's another web site in China hosts my app. I downloaded it from there, and it does run fine on my device!

There are posts here saying people can change the package name and republish an apk. But this is not my case, the cracked version still uses the same package name. I used Android Vending Licensing in the program, but the cracked version does not do licensing check at all. I used ProGuard to obfuscate it, but that doesn't discourage the hackers.

Question #1: I signed the apk file according to Google's instructions. But still, they modified the code and took out the licensing check part. Am I wrong that signing an apk file is designed to keep people from tampering with the file content?

Question #2: For Win32 .exe programs, I used to use a checksum to determine if the file has been altered. This is how it works: When a .exe is created, I used a tool to calculate the sum of byte contents of the file, then stuff it into somewhere in the file, for example, 4 bytes after a text pattern "MY SIGNATURE". Then at run time, the program opens the .exe file and calculates the byte sum, compares it with the integer after the signature.

Has anybody tried this approach on apk files? Care to share your experiences?

Ultimately the built in protection of apps in Android is very poor. Here are your best practices.

1) Yes Google's recommendation to use code obfuscation, signed coded, and their license verification server is designed to prevent software theft. Their implementation however is highly flawed. The only requirement that an APK has to run is that it be signed. It doesn't matter who signed it though. There are no checks that your signature is the one it's signed with. So to crack it you just remove the license check and re-sign with whatever cert you want. Then a user can load it on their phone with "allow non market apps" checked.

Don't use Google licensing as is. Modify the code heavily. Add some new parameters to use when generating the keys. Move the code around / re-architect it. Don't include the Google licensing library as a library project. Put it directly in your code. Make the code as spindly and kludgy as possible. Add functions that do nothing, but modify the values on the fly. Make other functions later that convert them back. Spread license verification throughout your entire code base.

If you don't do those steps then the code can be cracked automatically. By doing those steps at least the cracker needs to take the time to hand crack it. That would probably only take a few hours at most. But a few hours is much much more time than instantly cracking the standard Google licensing layer. There are cracker tools that will actually just auto-download newly released android packages and, if they use the standard android licensing, crack them and upload the cracked APKs to these types of web sites. By making your implementation not the vanilla implementation you make things much harder, with only a few hours effort on your end.

2) This is a common anti-crack technique. You can do this on Android if you want. But it can be cracked in about 5 minutes. If you Google there are tutorials on how to crack this specific technique. Basically you just look for the CRC call in the code and remove the check after the CRC comes back.

Android has no inherent security. You can root any phone and download the APK. You can easily hack an APK to enable debugging and simply step the code to see any keys you have stored in the code. So in the end I wouldn't spend too much time on this. It's impossible to secure an Android App. I would just do the common sense stuff in the list above and move on.

3) If you're really paranoid you can implement your own licensing on your own licensing server. This is the approach I took, but not as much for protecting the app for theft, as it was to give me a mechanism to sell apps directly from my website so users that don't have Google Play could still purchase my apps.