Im a bit worried about this myself. Ive known about it for a bit though. I can completely understand a few titles on the store using DRM because of this...
Depending on the APK not being available, except via OUYA device download, is a bad premise to start off with for thinking about your app being secure.
You can download APKs from Google Play as well. Admittedly it is a little bit more difficult (using a tool and it needs a Gmail login/password plus your Android device ID), but all the free APKs are there for download to your PC. Microsoft's Windows Phone Marketplace also had every XAP available for download via HTTP in a similar manner to OUYA's, including paid XAPs.
( i also found various links to googleplay iap hacks ... )
on Ouya, we can't use ads, so we have to rely on game purchases so this is a problem :-S
when many micro consoles are going to arise, developers would naturally favorite the most secure console
besides, it's all in the interest of boxer8 to have a secure game catalog so when it significantly grows, they could do things like sell exploitation licenses to other companies maybe ?
Forgive my ignorance, and please rectify that, but I don't see the problem here. Since everything is free to try and (possibly) has a paywall, aren't these just those APKs, that your Ouya could download and install through the store anyways?!
Whatever checks you have in the game, or checks on receipts, or private apks or obb files, or file system checks, etc, are all still in place. Anyone launching the game from these side loads should still hit those and still have the opportunity to hit the same restrictions and payment options.
Forgive my ignorance, and please rectify that, but I don't see the problem here. Since everything is free to try and (possibly) has a paywall, aren't these just those APKs, that your Ouya could download and install through the store anyways?!
Whatever checks you have in the game, or checks on receipts, or private apks or obb files, or file system checks, etc, are all still in place. Anyone launching the game from these side loads should still hit those and still have the opportunity to hit the same restrictions and payment options.
Looks like that to me as well. And that's why IAP is really a good thing for OUYA :)
You didn't remember the plot of the Doctor Who movie because there was none; Just a bunch of plot holes strung together.
that's true, but once you got access the apk , it's possible to open it crack it and diffuse it on pirate websites, and as you can see in the previous article links, it's a huge problem for a lot of devs, (90% of piracy for shadowgun!! not Ouya piracy tough )
about checks: all the pirated games had online checks and were cracked nontheless.
it's difficult to talk of piracy with voluntarily ommiting technical details but the less users can access apks the better.
I think piracy should be adressed as an important isssue , "open console" or not
altrough i understand there are moments and plannings to do so
the ultimate protection would seem to be a service like Gaikai where the game runs on a server and users can play it trough a video stream, but so far it's completely undoable, especially for indie games
--
edit: if it's just some of us being too worried/paranoid, it's great and i don't want to roam the forums claiming it's the end of the world :P
but piracy is a very real issue unfortunately. many indie devs could confirm that, and i don't think googlePlay / ios / many great appstores including discovery are doing everything they could/should to improve these matters
that's true, but once you got access the apk , it's possible to open it crack it and diffuse it on pirate websites, and as you can see in the previous article links, it's a huge problem for a lot of devs, (90% of piracy for shadowgun!! not Ouya piracy tough )
about checks: all the pirated games had online checks and were cracked nontheless.
it's difficult to talk of piracy with voluntarily ommiting technical details but the less users can access apks the better.
I think piracy should be adressed as an important isssue , "open console" or not
altrough i understand there are moments and plannings to do so
the ultimate protection would seem to be a service like Gaikai where the game runs on a server and users can play it trough a video stream, but so far it's completely undoable, especially for indie games
--
edit: if it's just some of us being too worried/paranoid, it's great and i don't want to roam the forums claiming it's the end of the world :P
but piracy is a very real issue unfortunately. many indie devs could confirm that, and i don't think googlePlay / ios / many great appstores including discovery are doing everything they could/should to improve these matters
--
Take a look earlier in the thread. The APK you download from the store, on an official OUYA, just by hitting "Download" is no different than what you get by navigating to the download link in your browser. Therefore this is not a security issue by any means, any more than downloading it from your OUYA is a security issue.
Post edited by Killa_Maaki on
You didn't remember the plot of the Doctor Who movie because there was none; Just a bunch of plot holes strung together.
that's true, but once you got access the apk , it's possible to open it crack it and diffuse it on pirate websites, and as you can see in the previous article links, it's a huge problem for a lot of devs, (90% of piracy for shadowgun!! not Ouya piracy tough )
about checks: all the pirated games had online checks and were cracked nontheless.
it's difficult to talk of piracy with voluntarily ommiting technical details but the less users can access apks the better.
I think piracy should be adressed as an important isssue , "open console" or not
altrough i understand there are moments and plannings to do so
the ultimate protection would seem to be a service like Gaikai where the game runs on a server and users can play it trough a video stream, but so far it's completely undoable, especially for indie games
--
edit: if it's just some of us being too worried/paranoid, it's great and i don't want to roam the forums claiming it's the end of the world :P
but piracy is a very real issue unfortunately. many indie devs could confirm that, and i don't think googlePlay / ios / many great appstores including discovery are doing everything they could/should to improve these matters
--
Piracy is a real issue as you stated. The problem is that when developers take measures to protect their works and if word gets out that they are using DRM, it ends actually hurting them due to gamers thinking they're being rediculous and that piracy isnt that big of a deal when in fact you've posted links showing the insanely high piracy rate on android devices that gamers refuse to acknowledge...
Gamers feel like we are restricting their freedom to pay for something they bought. While infact if you implement DRM you somewhat are, but your also protecting your works and more than likely you'll get crap for it which isnt really fair... You should have the right to keep your work safe from thieves.
Unfortunately its a double edged sword and while i HATE to admit it it, DRM does work.... its inconvenient, but in an age where everything is now digital and physical media is almost gone, how the hell else are you going to protect your works? you cant really trust anyone to not pirate your game if they want it bad enough.
That whole argument about "well piracy helps promote my game" sure it does, but in the end your still getting the shaft and not getting paid for whatever costs you dumped into making the game, which you need to get back let alone your time for making it. While most devs wont pay themselves much or value their own works at too much, bottom line is they still need to be paid for what they did...
Lets face it, developers that develop games for a living dont give everything away for free, or else they would be living in a cardboard box under a bridge....
Anyhow, i think OUYA needs to take this issue a bit more seriously and take note of the disasters the google play store has had and try to avoid these issues if they want developers to keep publishing on their console and supporting it.
Take a look earlier in the thread. The APK you download from the store, on an official OUYA, just by hitting "Download" is no different than what you get by navigating to the download link in your browser. Therefore this is not a security issue by any means, any more than downloading it from your OUYA is a security issue.
imho it's an issue in the sense that you can crack the apk on pc, but you can't crack it directly on Ouya;
there should be something like,
- apks could only be retrieved from the console, they'd go on a specific ( read only , differently formatted , i don't know ) zone of the console hard drive
- users can only update them or delete them
i'm not security expert by any means, but there should be many measures to apply,
it have to be planned out from a 'cracker' point of view tough: how games are cracked ? how can this be avoided ? adding expensive inefficient and non-related measures can be very counter productive for everybody ( as the DRM indeed maybe :| )
it's great to be able to access the hard drive of the console from windows, to have this open console capability, but the'res -no- -reason- -at all- that any user should modify discovery's apk, therefore, it should be forbidden
the thing is, if ppls are considering everything is safe ( and unfortunately it's not ) nothing is going to be done, now it's up to Boxer8 to improve the safety of the store
Security always seems so simple from the outside. The Xbox 360 has layers of software and hardware protection that Microsoft invested a lot of time and resources in developing, and it has still been cracked. Granted, it took a few years to happen, but it goes to show that they are all breakable.
The problem with a read-only partition of the internal storage is that it has to become writeable at some point in order to install the apk. There's your attack vector. A different file system? There's code in the kernel to read/write that file system. Find that code and it's wide open.
How are games cracked? In many different ways. Approaching security from a cracker's point of view has been done for a long time in the industry.
I understand , but i'm not sure it's an excuse to do nothing, that's an easy thing to say for a company when it's not their revenue at stake ^^
ps vita does very well in piracy protection with it's powerfull firmwares, and ios a little bit better
even if no uncrackable platform exists , the main idea is to make piracy so much uncomfortable to use
that it's too complex for basic users to set up ( rooting a psvita is complex, paying somebody to add a chip to your xbox 360 is piece of cake )
with Ouya, perhaps actual game cracking can't last because of system updates ( exactly like ps vita ) protection is way better if .apks can't be accessed by users and custom apks could be checked by the firmare to ensure they're not cracked games ( this part is complex and fails in a lot of platforms indeed )
however i'm having a bit of trouble to understand why devs are saying that piracy protection are useless, it's a little bit funny :> finding issues and reasonable/doable solutions is interesting , rethorics about "piracy protection: good or bad" , heh ... got better things todo
Trying to "protect" the APK itself somehow is a losing battle. At the end of the day, to install the app/game, the APK has to be on the file system somewhere at some time (that's how Android works). And since anyone can get root access, anyone can read, copy, and crack the APK no matter where it is. So, I don't really consider this a security breach at all.
i'm starting to suspect individuals wanting to crack games are trying to argue against security prevention to make piracy easier
saying " improving security is worthless because it can be defeated"
is a bit like saying there's no cure to cancer, so improving prevention is useless
you will not be able to disable piracy entirely , but if you can prevent 10,20,30% of it , it's that much more revenue for developers, and for many developers it makes a difference
done talking in this thread it's useless, there is not the kind of people i'm interested to hear from.
i hope responsible people having a clue about security will take it from there
@Floppy Being able to download it from a web browser onto the computer does not add any more risk of piracy at all. The apk is not protected or hidden in any wait while it is sitting on the Ouya. Users don't even need to be root to pull any app they want ( @StoicHampster ). You can use adb, ftp, or any of at least a dozen other methods. It takes less than a minute to get the apk from the Ouya to the computer; smaller apks can be pulled in under a second. And even if users did need root, guess what, Ouya is already rooted. You cannot try to hide files on this filesystem and at the same time give users full control of the filesystem's contents.
Alright, clearly you are smarter than the rest of us, as you so proclaim. How do you seal off the OUYA's filesystem so that nobody could possibly access it and pull files off it, but still allow the OS itself to read/write? And more importantly, how do you think this could be accomplished without completely obliterating one of the biggest marking points of the OUYA (its openness)?
Snarkiness aside, I think you're being a tad bit alarmist and trying to spot security issues where none exist. So people can decompile and modify a game? Go figure, they can do that on just about every other platform in existence.
Post edited by Killa_Maaki on
You didn't remember the plot of the Doctor Who movie because there was none; Just a bunch of plot holes strung together.
@Floppy It's up to each developer to decide on the level of DRM that exists in their game.
The fact that you want APK's and their delivery to be more secure is something that you should take up either with the Android developers or implement yourself. No one is stopping you from doing either.
One thing that I suggest you do is more research; find out what extents bother crackers and DRM developers have gone to in attempting to foil each other.
Personally I'm still mystified that piracy even exists on a significant scale on mobile. You'd think the average 1 to 3 dollar app prices would have been the end piracy. I guess some people's time isn't very valuable. Myself, I'd gladly pay a couple bucks for a game then spend half an hour+ of my life searching for, side loading a cracked version and getting it to run. Nevermind the fact you're helping the developer stay in business.
Unfortunately OUYA doesn't have the user base yet for mobile game pricing to be sustainable, hopefully that or better copy protection come into play at some point.
Personally I'm still mystified that piracy even exists on a significant scale on mobile. You'd think the average 1 to 3 dollar app prices would have been the end piracy. I guess some people's time isn't very valuable. Myself, I'd gladly pay a couple bucks for a game then spend half an hour+ of my life searching for, side loading a cracked version and getting it to run. Nevermind the fact you're helping the developer stay in business.
Unfortunately OUYA doesn't have the user base yet for mobile game pricing to be sustainable, hopefully that or better copy protection come into play at some point.
Copy protection for what? The full APK you download for free from the store anyway?
You didn't remember the plot of the Doctor Who movie because there was none; Just a bunch of plot holes strung together.
If piracy is a concern, OUYA could protect the apks by using app encryption and serving them from a web service request rather than letting the files sit naked on their cloud storage.
There is no silver bullet for piracy. That's for sure. If someone is determined enough, they'll find a way. But it's possible that not everyone is that determined, and it's possible that not every pirate realizes they're a pirate. There are a number of people who think that if they can move one file from their system to someone else's and nothing stops them from doing it, no harm is done. I've actually known a fair number of people who didn't realize that was a form of piracy. But with OUYA's strong reliance on IAP, this kind of piracy probably isn't a huge issue on the platform.
However, even if piracy isn't a concern, there is still concern over unauthorized distribution of the files.
Nothing stops others from downloading them and possibly hosting them (in fact a few have). Besides some developers possibly not being on board with that arrangement, it creates a conflict with OUYA themselves as being the official source of "exclusive" titles to their platform.
That isn't a big deal either until one of those sites decides to have malicious intent in mind and randomly serves apks with malware or inject the apks themselves with malware. OUYA becomes guilty by association for not taking reasonable measures to make it more difficult to mirror their files. Your average mainstream user isn't going to know the difference, so it's probably important to ensure those distribution lines don't get blurred.
Piracy aside, OUYA should probably make some effort to protect the files from distribution outside of the console for those reasons. It could potentially be a problem for them in the future.
thanks for opinions and infos jtn0514 mjoyner Loecke Shush VicariousEnt articdog
reassured there are some devs that are smarter than me also concerned by this :)
I don't see why the ability to run custom apks would prevent possiblity of having a "safe" memory zone, or making firmware checks on running apks. Even if it would only partially work, it would be a good start
wrote several times boxer8 should see how to do it , i'm not a security expert etc ( it's funny how some peoples apparently tought i'd be securing Ouya by myself .. ? )
@ Shush , my dev/forum time is really limited, and i'd honestly prefer spending it making my games better... as i said several times, it's obviously up to boxer8 to improve protection but i'm considering implementing a drm-like kind of solution in my games indeed
anyway, this thread is a bit awkward in the sense that there's not so much say exept for trying to get b8 to improve their security
There is no right or wrong, in the end it's all about what the customer deems acceptable in terms of how many DRM hoops you make them jump through and how much effort you're willing to expend.
If you do some research on Bunnie and the original Xbox, you may find it an eye opener with respect to the extents that Microsoft went to in their implementation of DRM. They spent tens of millions of dollars on research and implementation of their DRM and publicly stated that their DRM was uncrackable; needless to say it was cracked within a few months of the Xbox's release.
My approach to the OUYA is very simple: - My APK containing trial/free content will be stored on the OUYA servers and publicly available to everyone to do with as they see fit. - Paid for content will be stored using encryption on cloud servers, (such as S3), and downloaded on demand as part of IAP transactions to the client. - Offline receipts will be stored on the individual OUYA's themselves in an encrypted and private area so that the client does not need to have 24/7 online access.
Is this a perfect solution? No, (a perfect solution does not exist), it's not even close. Does it afford some security to keep out the 95 percentile? You betchya it does. Does it cause any inconvenience to the client? No, DRM hoops are minimised. Will it be cracked? Of course it will, assuming someone deems it worthy of cracking.
The point is you have to decide yourself how much effort/resources you want to put into your DRM and or security. Anything that OUYA comes up with as an across the board DRM implementation that all developers must adhere too would cause pandemonium, riots and public lynchings, (think about the spirit of the OUYA and it's underlying message). It would also be cracked ridiculously quickly, the OUYA has attracted a lot of smart indies, hackers, (the original meaning of hacker), anti-DRM and anti-suits.
Come up with something that both you and your customer are happy with and you've won the interwebz
Anything that OUYA comes up with as an across the board DRM implementation that all developers must adhere too would cause pandemonium, riots and public lynchings, (think about the spirit of the OUYA and it's underlying message)
mmh, i'm a bit disagreeing with this assumption :-S
"open console"
- to do what, build or steal ?
stealing is prohibited , and must not happen, end of discussion
no user should access .apks from the store, what for ?
having a protected inaccessible zone for .apks that are not meant to be tweaked does not interfer with the idea of open console
I totally agree with your second point tough, security measures have to be user friendly
regular online checks would be fine , since Ouya is a connected console anyway, even if it would have to be implemented in a relative flexible way for ppls not having internet all the time
Microsoft, Xbox, Xbox 360 and Windows Phone are simply good case studies for the amount of effort that goes into some protection schemes. Yes, Sony use similar measures to protect apps and games on their devices. The Xbox and Xbox 360 are simply a higher value target for crackers (and have been out a lot longer) than the PS Vita, so they got a lot more attention.
I am using a system similar to @Shush. The C# bindings for the ODK that I maintain will have the encrypted local storage of receipts built-in, needing no further action on the part of the developer for offline access of the last downloaded receipts. This will be available to all C# game devs when I release the next update. I will also be storing non-free assets on Amazon S3 or Windows Azure that are only downloaded and stored locally after purchase.
I admit and agree that piracy is a problem. I also agree that there is no perfect solution and that no matter what you do, if somebody really wants to, they WILL crack and pirate your game. I also agree that you should still take a few basic steps to make the pirate's/hacker's job more difficult without ruining the user experience of the regular customers/users.
However, I don't think the location/accessibility of the APK (especially in a everything-is-free-to-try system) should be the focus of our or Team Ouya's security efforts. I'm no Android guru, but from what I understand, there's just no feasible way to protect it. Android expects a standard APK format in order to install an app and it must be somewhere on your device's storage, which means that anyone can easily access it if they want to. Even if you somehow do some sort of verification/encryption trickery where you can only get the APK on an official Ouya w/ a user logged into their Ouya account, I don't see how that helps, because again, anyone with an Ouya can get it w/o ever paying anything. There's ultimately no way to hide or protect the APK (Android gurus correct me if I'm wrong).
Now, I do think there are things you should do to protect from casual piracy, but they should all be focused on the IAP system since that is where the money is. IMO, copying and distributing an APK that's monetized via IAP is NOT piracy because that's not where the money is. Heck, I'd love it if my APK was spread far and wide across the globe through Usenet, BitTorrent, etc. That means more people might install it which, if my IAP is well secured, could mean more revenue.
So, instead of focusing on the APK, I think you need to focus on securing your IAP process and demo/lite version restrictions. I've seen a surprising number of Ouya games that have demo modes where the limitation is either a timer or a number of plays, but those values are only stored locally. So, if I play my 15-minute demo of the full version, all I have to do is uninstall and reinstall. Doing this wipes the local data associated with the app and, voila, the demo is reset. I can do this reset as often as I want. It's instant piracy that, literally, a child is capable of. Your demo limitations need to be stored persistently on a server somewhere to prevent this.
As for IAP, there are both offline and online considerations. Ideally, you want a purchased game to continue to work even while offline (though I'm not sure if Ouya requires this as part of their submission criteria). But this ideal for the end-user makes things trickier for the developer to secure because you need to store that info locally where hackers can tamper with it. There was actually a thread discussing this topic and the best way to cache purchase info locally (for offline usage) while still preventing piracy. I made a fairly lengthy post w/ my thoughts on how to handle offline validation, so I won't repeat that here.
As for the security of the online portion, namely querying for purchase receipts from Ouya's servers, you should probably query for receipts each time the game starts if an internet connection is detected and fallback to cached validation if not. That alone will stop most casual pirates.
There's also the possibility of someone spoofing the Ouya receipt server. That's the only concern in this whole list that I think should be Team Ouya's responsibility. If they haven't already (I've never looked to see), they should implement some kind of challenge/response system when querying for receipts to ensure that it's not trivial to spoof a server that could fabricate any arbitrary purchase.
At the end of the day, it's up to you to decide how "hackable" you want your game to be. You have to decide on that tradeoff between security and convenience/usability. I remember reading that Mighty Rabbit (the Saturday Morning RPG guys) implemented no DRM after purchase in their game. Presumably, when you purchase the game they just set a local integer of GamePurchased=1 and you can play online, offline, copy the game to another device, whatever you want. Personally, I wouldn't do things that way... but if another dev wants to, why not let them? After all, the Humble Indie Bundle has proven time and time again that you can still make a lot of money even if you have zero DRM in your game.
I honestly think the availability of the apks to users NOT on an ouya is a bad idea... Its basically making it one step easier for the people to obtain the file and hack/decompile it. Boxer8 should be doing all they can to make it not so easy to obtain the APKs in the first place... While you cant stop someone who has alot of free time, you can make it a difficult journey to obtain the files, this will deter some still....
As for the DRM implementation, i hope ouya leaves this to the developers 100 percent forever. They shouldnt have a say in how developers implement security features to protect their software.
Honestly if users dont want to play a game because it has online drm, then thats their choice, but they should remember that THEY NEED the ouya store (which requires online activity) to get these games in the first place and that without and online connection, the console itself cannot get any new content unless side loaded or manually installed via usb ect... Even then, you had to get the apk online somewhere from another device to have installed it to the ouya anyhow. No one is handing out physical copies of these games....
I honestly think the availability of the apks to users NOT on an ouya is a bad idea... Its basically making it one step easier for the people to obtain the file and hack/decompile it. Boxer8 should be doing all they can to make it not so easy to obtain the APKs in the first place... While you cant stop someone who has alot of free time, you can make it a difficult journey to obtain the files, this will deter some still....
Yes, because what a difficult thing it is to issue an "adb pull" command. In case you can't tell, I'm being entirely sarcastic of course. It takes literally just a few minutes to grab basically any file I want off the OUYA, even system-level files. If someone has the knowledge to crack an APK's DRM, they most certainly will have the knowledge to issue a simple "adb pull" command.
You didn't remember the plot of the Doctor Who movie because there was none; Just a bunch of plot holes strung together.
Floppy
Posts: 132Member
Comments
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
Piracy is a real issue as you stated. The problem is that when developers take measures to protect their works and if word gets out that they are using DRM, it ends actually hurting them due to gamers thinking they're being rediculous and that piracy isnt that big of a deal when in fact you've posted links showing the insanely high piracy rate on android devices that gamers refuse to acknowledge...
Gamers feel like we are restricting their freedom to pay for something they bought. While infact if you implement DRM you somewhat are, but your also protecting your works and more than likely you'll get crap for it which isnt really fair... You should have the right to keep your work safe from thieves.
Unfortunately its a double edged sword and while i HATE to admit it it, DRM does work.... its inconvenient, but in an age where everything is now digital and physical media is almost gone, how the hell else are you going to protect your works? you cant really trust anyone to not pirate your game if they want it bad enough.
That whole argument about "well piracy helps promote my game" sure it does, but in the end your still getting the shaft and not getting paid for whatever costs you dumped into making the game, which you need to get back let alone your time for making it. While most devs wont pay themselves much or value their own works at too much, bottom line is they still need to be paid for what they did...
Lets face it, developers that develop games for a living dont give everything away for free, or else they would be living in a cardboard box under a bridge....
Anyhow, i think OUYA needs to take this issue a bit more seriously and take note of the disasters the google play store has had and try to avoid these issues if they want developers to keep publishing on their console and supporting it.
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
Take some time and learn Designer-Friendly Programming 101.
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
Snarkiness aside, I think you're being a tad bit alarmist and trying to spot security issues where none exist. So people can decompile and modify a game? Go figure, they can do that on just about every other platform in existence.
The fact that you want APK's and their delivery to be more secure is something that you should take up either with the Android developers or implement yourself. No one is stopping you from doing either.
One thing that I suggest you do is more research; find out what extents bother crackers and DRM developers have gone to in attempting to foil each other.
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
If you do some research on Bunnie and the original Xbox, you may find it an eye opener with respect to the extents that Microsoft went to in their implementation of DRM. They spent tens of millions of dollars on research and implementation of their DRM and publicly stated that their DRM was uncrackable; needless to say it was cracked within a few months of the Xbox's release.
My approach to the OUYA is very simple:
- My APK containing trial/free content will be stored on the OUYA servers and publicly available to everyone to do with as they see fit.
- Paid for content will be stored using encryption on cloud servers, (such as S3), and downloaded on demand as part of IAP transactions to the client.
- Offline receipts will be stored on the individual OUYA's themselves in an encrypted and private area so that the client does not need to have 24/7 online access.
Is this a perfect solution? No, (a perfect solution does not exist), it's not even close. Does it afford some security to keep out the 95 percentile? You betchya it does. Does it cause any inconvenience to the client? No, DRM hoops are minimised. Will it be cracked? Of course it will, assuming someone deems it worthy of cracking.
The point is you have to decide yourself how much effort/resources you want to put into your DRM and or security. Anything that OUYA comes up with as an across the board DRM implementation that all developers must adhere too would cause pandemonium, riots and public lynchings, (think about the spirit of the OUYA and it's underlying message). It would also be cracked ridiculously quickly, the OUYA has attracted a lot of smart indies, hackers, (the original meaning of hacker), anti-DRM and anti-suits.
Come up with something that both you and your customer are happy with and you've won the interwebz
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
> Anti piracy measures are needed and it doesn't haves to interfer with the concept of open console
I admit and agree that piracy is a problem. I also agree that there is no perfect solution and that no matter what you do, if somebody really wants to, they WILL crack and pirate your game. I also agree that you should still take a few basic steps to make the pirate's/hacker's job more difficult without ruining the user experience of the regular customers/users.
However, I don't think the location/accessibility of the APK (especially in a everything-is-free-to-try system) should be the focus of our or Team Ouya's security efforts. I'm no Android guru, but from what I understand, there's just no feasible way to protect it. Android expects a standard APK format in order to install an app and it must be somewhere on your device's storage, which means that anyone can easily access it if they want to. Even if you somehow do some sort of verification/encryption trickery where you can only get the APK on an official Ouya w/ a user logged into their Ouya account, I don't see how that helps, because again, anyone with an Ouya can get it w/o ever paying anything. There's ultimately no way to hide or protect the APK (Android gurus correct me if I'm wrong).
Now, I do think there are things you should do to protect from casual piracy, but they should all be focused on the IAP system since that is where the money is. IMO, copying and distributing an APK that's monetized via IAP is NOT piracy because that's not where the money is. Heck, I'd love it if my APK was spread far and wide across the globe through Usenet, BitTorrent, etc. That means more people might install it which, if my IAP is well secured, could mean more revenue.
So, instead of focusing on the APK, I think you need to focus on securing your IAP process and demo/lite version restrictions. I've seen a surprising number of Ouya games that have demo modes where the limitation is either a timer or a number of plays, but those values are only stored locally. So, if I play my 15-minute demo of the full version, all I have to do is uninstall and reinstall. Doing this wipes the local data associated with the app and, voila, the demo is reset. I can do this reset as often as I want. It's instant piracy that, literally, a child is capable of. Your demo limitations need to be stored persistently on a server somewhere to prevent this.
As for IAP, there are both offline and online considerations. Ideally, you want a purchased game to continue to work even while offline (though I'm not sure if Ouya requires this as part of their submission criteria). But this ideal for the end-user makes things trickier for the developer to secure because you need to store that info locally where hackers can tamper with it. There was actually a thread discussing this topic and the best way to cache purchase info locally (for offline usage) while still preventing piracy. I made a fairly lengthy post w/ my thoughts on how to handle offline validation, so I won't repeat that here.
As for the security of the online portion, namely querying for purchase receipts from Ouya's servers, you should probably query for receipts each time the game starts if an internet connection is detected and fallback to cached validation if not. That alone will stop most casual pirates.
There's also the possibility of someone spoofing the Ouya receipt server. That's the only concern in this whole list that I think should be Team Ouya's responsibility. If they haven't already (I've never looked to see), they should implement some kind of challenge/response system when querying for receipts to ensure that it's not trivial to spoof a server that could fabricate any arbitrary purchase.
At the end of the day, it's up to you to decide how "hackable" you want your game to be. You have to decide on that tradeoff between security and convenience/usability. I remember reading that Mighty Rabbit (the Saturday Morning RPG guys) implemented no DRM after purchase in their game. Presumably, when you purchase the game they just set a local integer of GamePurchased=1 and you can play online, offline, copy the game to another device, whatever you want. Personally, I wouldn't do things that way... but if another dev wants to, why not let them? After all, the Humble Indie Bundle has proven time and time again that you can still make a lot of money even if you have zero DRM in your game.
Take some time and learn Designer-Friendly Programming 101.
As for the DRM implementation, i hope ouya leaves this to the developers 100 percent forever. They shouldnt have a say in how developers implement security features to protect their software.
Honestly if users dont want to play a game because it has online drm, then thats their choice, but they should remember that THEY NEED the ouya store (which requires online activity) to get these games in the first place and that without and online connection, the console itself cannot get any new content unless side loaded or manually installed via usb ect... Even then, you had to get the apk online somewhere from another device to have installed it to the ouya anyhow. No one is handing out physical copies of these games....
If someone has the knowledge to crack an APK's DRM, they most certainly will have the knowledge to issue a simple "adb pull" command.