Hacked apk avoids in-app purchase check and yet passes PiracyChecker signature check
drmrbrewer opened this issue · 6 comments
My app has a routine which checks the validity of an in-app subscription (via my own server). But I have found a hacked apk on a download site which somehow avoids this check, thereby giving free access to the in-app subscription. Nothing is ever received at my verification server, so they must somehow be faking this check.
But somehow this apk is not caught by the "signature" check made by PiracyChecker. How can this be... surely a hacked apk must have a different (and invalid) signature?
The "licence" check made by PiracyChecker does catch the hacked apk but I'm finding that there are too many false positives (apparently genuine users, maybe with slightly unusual setups) that are caught too.
If I can understand how the in-app purchase check is being avoided then maybe I can just tighten up the security within my code to thwart that.
Hi, I'm having the same issue. I also have implemented an in-app validation via my own server and still I have found a hacked apk which seems to completely avoid the validation.
It just starts with premium features. Normally it would start with limited features, then check if there are any licenses, if any it would check on my server and only then it would obtain premium features and show a message saying that. Instead, the hacked apk just starts with premium features with no validation at all.
How can I fix this? I have spent several days implementing a backend validation and now it's suddenly useless, WTF.
No idea... I think we need a new solution. or use Dexguard
i searched on telegram and found that how they avoiding piracy checker
[MIN_ENGINE_VER]
2
[AUTHOR]
[PACKAGE]
PiracyChecker - Hook
[MATCH_REPLACE]
TARGET:
smali*/*.smali
MATCH:
invoke-direct .+}, Lcom/github/javiersantos/piracychecker.+
REGEX:
true
REPLACE:
[/MATCH_REPLACE]
[MATCH_REPLACE]
TARGET:
smali*/*.smali
MATCH:
new-instance ([pv]\d+), Lcom/github/javiersantos/piracychecker.+
REGEX:
true
REPLACE:
[/MATCH_REPLACE]
[MATCH_REPLACE]
TARGET:
smali*/*.smali
MATCH:
invoke-(virtual|static) .+}, Lcom/github/javiersantos/piracychecker.+Ljava/lang/String;\n\n move-result-object ([pv]\d+)
REGEX:
true
REPLACE:
const-string ${GROUP2}, "uKXl2sfYr1qJ6sVvFPNqWIJvGaY="
[/MATCH_REPLACE]
[MATCH_REPLACE]
TARGET:
smali*/*.smali
MATCH:
invoke-(virtual|static) .+}, Lcom/github/javiersantos/piracychecker.+\n\n move-result-object ([pv]\d+)
REGEX:
true
REPLACE:
[/MATCH_REPLACE]
[MATCH_REPLACE]
TARGET:
smali*/*.smali
MATCH:
invoke-virtual .+}, Lcom/github/javiersantos/piracychecker.+
REGEX:
true
REPLACE:
[/MATCH_REPLACE]
Any way to avoid this?
instead of using name like com/github/**** make it to un readable character so just script kid not able to bypass it
they removing every call of piracy checker as it clear readable , either move it into some famous name like com.android.google or some where else with ambiguous name