December 22, 2014

COMMUNITY ALERT: DavinciDevelopers Stealing Apps To Sell As Own Creations

The people over at Android Community are reporting today that a group known as the “DavinciDevelopers” has been doing something pretty lowdown with the Android Market.  Namely, taking apps that are in development and in the hands of beta testers and posting them to the Android Market as their own creations.  A quote from the Android Community article:

If you’ll remember a few days ago we had (and still have, of course,) a big fat post by the name of “Total JerkDeveloper Steals Beta Game He Was Supposed to be Testing, Publishes to Android Market.” Kind of a mouthful, yes? Well it turns out that the guy guilty of such a crime has a mouth full of more than just one stolen game – he’s got a whole batch. This guy (or guys, or gals, whatever it might be) goes by the name DavinciDevelopers and is stealing APKs for apps left and right, files that are supposed to be testers for developers, publishing them to the Android Marketplace as his own. This is terrible in more ways than one, and we’ve got to stop him.

Agreed. Not being a developer myself, I do not know what the process is to get an app to the Market. But with the open way that Google handles apps, it seems it is going to be a challenge for the rightful owners of the apps that have been taken to reclaim what is theirs. A simple solution, at least in my mind, would be for the actual developers of the stolen apps to simply upload their own version, put a note in the description the advertise like crazy that theirs is the true app. After doing some research on how the Android Market works for devs, it seems that wronged devs cannot even put this process in place. Why? Because when you load an app to the Market, it does not allow any other app to have the same name to avoid duplicates. And once that name is locked it, the feedback that I have gotten is that it is locked in for a good amount of time.

One of the best way to combat these thieves is community awareness, be on the lookout as you browse the market, if you happen to see the name DavinciDevelopers, steer clear!  Then head over to the different Android user forums and post your findings.  Devs work hard, and deserved to have their intellectual property protected.



  • anakin78z

    Google really needs to put some amount of customer service in place. There is just no good way to get a hold of them when something like this happens.

    • Froggmann

      Try giving them money sometime. Takes us a week and a half to get an invoice out of Google so we can cut them a check for Google Earth Pro. I remember last year tehy actually gave us a phone number to call. It lead to a recording to email them.

  • http://www.twitter.com/DrJeckyl Dr.Jeckyl

    Mark the ones by the thief as malicious in the market and Google should take notice.

  • http://pilot51.com Pilot_51

    If the source code for an app is not available to testers, the developers can sign the APK with the debug key which is not accepted by the Android Market. However, I’m not certain how difficult it is to hack/change the key after the APK is compiled. At the least it is a good preventative measure.
    Personally I always use the debug key until I’m ready to release, whether I’m keeping it to myself or sharing it with friends to test, mostly because signing it with another key in Eclipse takes a few extra steps I’d rather not deal with unless I need to.

    On the other hand, if the source code is made available, there isn’t much that can be done to stop anyone from stealing it short of Google support or the law after the fact.
    I’ve witnessed something like that happen with one of my favorite open source projects on Android, where someone took it in his own hands to release the app while it was in a very early/unfinished state, plus he hardly kept it up-to-date. While he made it clear that he didn’t make it and he linked to the official site, he took the package name and didn’t provide any contact information, which made the developers and some of the community a bit mad.

    There is also the possibility that someone who just wants to be a jerk could make their own app and use the same package name (which can be easily found once they have the APK) and release it on the Market, preventing the true app from using that package name and forcing the developer to change it in order to release, which while not all that difficult, it’s annoying to say the least. I think the best way to prevent that from happening, assuming the developer has a specific package name in mind, would be to use a different package name during testing and change it before releasing. But, if the source is not made available, I think the risk of someone intentionally taking the package name would be low enough that it’s not worth the extra effort.

    It’s clear to me that Google support can’t be relied on in most cases, and for most small developers it isn’t worth suing over.

    Bottom line: Developers need to take preventative measures whenever possible to protect their hard work; while not flawless, they can be effective. Nobody else can do that for them.

  • http://www.appsbybirbeck.com/ birbeck

    Well the simple solution here is to sign your beta packages. I sign and version my beta packages with my production key and version numbers (with -beta in the version name). To reserve your package you can always upload an early version to market as a draft and not hit publish until you are ready. If your code is open-source and committed often during the development phase, then other than reserving your package name there is not much you can do unfortunately.

    At any rate, this is purely thievery and can be very damaging to your reputation as a result. Google needs to have a zero tolerance policy for this.

    I will head to the market and 1* and comment on any of these DavinciDevelopers apps. However now that their cover is blown, nothing will prevent them from just signing up again under a different alias.

  • BoD

    In addition to everything that was said a good idea is also to make the beta “expire”. That is, when the app is started the first thing it does is check the date, and if it’s after a certain date, show a message and exit.

  • Felon

    Peer review before publication of apps

  • Kevin

    Signing doesn’t solve the problem. You can use apktool to repackage the binaries into a new APK signed with a new key.

    BoD got it right, you need an expiry mechanism or a remote kill in your beta apps. And you need to obfuscate the living hell out of that code.

    I know, you never want to go through this effort until you get burned. This really sucks for the developers. Generate all the noise you can through blogs and notify Google with all the means you have. Email Guy Roman and the other Android celebs.

  • Lawrence Aubin

    Those vermin have 80 apps on the market!! That’s an awful lot of apps to “develop” and they cover many, many different types & subjects.

    Seems to be far too many for one source to “produce” so that just convinces me that they are indeed stolen from their true developers.

    The Android Market needs to do a lot more to improve the market for end users but even more importantly for the developers whose hard work is being stolen and duplicated…

    Just my two cents worth..

    laubin