Google has been forced to temporarily deactivate a security feature in Android 4.1 (Jelly Bean) intended to make it harder to pirate paid-for apps. The feature resulted in some purchased apps no longer working after devices on which they were installed on were restarted, requiring the user to reconfigure or even reinstall them. According to a bug report on Google Code, affected apps include several live wallpapers and applications with widgets or access to Google’s account system.
Android 4.1 introduced improved copy protection in the form of a feature called App Encryption. Paid-for apps are encrypted using a device-specific key prior to installation, with the result that the APK file downloaded by a device (which can only be accessed on rooted devices) will not run on other Android devices. The feature has been implemented in such a way that the APK file is not installed in the internal /data/app partition, but is instead installed in the encrypted /mnt/asec directory. It appears, however, that not all apps can be run from this location without problem. The difficulty seems to be caused by Android 4.1 mounting /mnt/asec too late in the boot process and unmounting it too early on shutdown.
The issue has similarities with older problems with App2SD, an Android function for moving apps from /data/app to a mounted SD card, which also caused some apps – particularly apps using widgets – to stop working. Whilst developers were able to block their apps from being moved to the SD card (something that can be circumvented on rooted devices), they are not able to prevent their apps from being relocated to /mnt/asec.
Two workarounds, one for developers and one for users, are outlined in the bug report. Users can get around the problem by installing the application from sources other than the Google Play store, in which case Android reverts to installing the APK file to /data/app. There are three ways of achieving this: purchasing the app from Amazon, AndroidPit or another alternative store. Backing up and restoring all apps using a service such as Titanium Backup (possible on rooted devices only). Or purchasing the app directly from the developer, if that is possible.
The workaround for developers is to move the application’s critical components into a non-paid-for app. This requires some user cooperation, in that they then need to install this additional app.
Users and developers report that in the last few days the problem appears to have disappeared for applications installed using the latest version of Google Play (3.7.15). Users who have previously installed problematic apps will need to uninstall and then re-download them free of charge. According to one report, the new version of Google Play now saves paid-for apps to /data/app again, meaning that Google has deactivated the copy protection feature for now. Google has not commented publicly on the problem. The bug is marked as medium priority, with a status of “FutureRelease” for a possible fix.