Spark, piracy, and account security

I’ve been meaning to post something about Spark and piracy for a while now, but I’ve been unsure of whether that would be a good idea – I’ve been avoiding unnecessarily advertising the fact that Spark is (at this point) rampantly pirated. However, I’ve been getting an alarming amount of Market comments recently that claim that Spark has somehow “hacked” their Xbox Live account – which is not only patently false, but also impossible.

There are many possible ways that one can hack an Xbox Live account – including brute force attacks on the site, and guessing of simple, or easy to guess passwords. My assumption, for the sake of brevity of this article is that you use good, difficult to guess passwords – and if you don’t, you should. See Change Passwords for hints on picking a good password.

That said, I know for fact that a large number of people use illegitimate versions of the app. This is backed by the fact that sales of the app spike considerably whenever Xbox Live makes changes that break Spark in short term, and Google search results. Often, people who use a pirated copy of the app end up liking it, then purchasing the legitimate copy. This scares me most of all, because the people who just now purchased a legitimate product spent any number of weeks with a pirated version that could have been siphoning off account information for weeks or months at a time. If/when their account information is stolen, one of their first reactions is to post accusations in the comments, which unfortunately, causes a large number of other knee-jerk reactions.

The Market version of Spark by itself is a secure app. It collects its data by exchanging information with live.xbox.com, which is the same address that one would use through the web browser. Login information is exchanged in encrypted form, via the same sets of protocols as a web browser. Other than exchanging licensing information with Android Market, which contains absolutely NO Xbox account information, no information is ever sent elsewhere. Period. Unlike other apps, there’s no intermediary server between you and Xbox Live. The chances of your login information being intercepted are the same as those you take when you log on to http://live.xbox.com using a web browser – meaning, you’re about as secure as the network that you’re connected to.

Your username and password are stored on the phone in encrypted form. Because Android isolates each app to its own user space, this means that access to your (encrypted) login information is about as secure as all the other data on your phone. For stock Android phones, this means that you’re safe unless someone physically possesses your phone.

When you use a pirated version of any Android app, you effectively give up any and all safety guarantees. 

Because whoever removed the Market validation could have easily added code to report your login information to any server, anywhere. Even with the protection afforded by tools like ProGuard, Android apps are Java-based, and therefore, easily decompilable. Adding code to, say, send your Xbox Live username and password to anywhere in the world is not very difficult.

To beat the proverbial dead horse, please don’t use pirated versions of this app, even if you received them from a “trustworthy” source. If you have used a pirated version in the past, change your password, as soon as possible, because you never know who has your information. The legitimate, safe version of the app is $1.50, which is less than the price of coffee at Starbucks. Don’t take unnecessary risks – it’s just not worth it.

Original version of Spark (OpenSpark) is open source, and available for your perusal/modification, whatever: http://openspark.sourceforge.net/ . Spark 360 is based on an earlier, non-GPL version of its source. If you have any doubts as to the legitimacy of the official Market-published app, feel free to go through the source – the core of the two apps is more or less the same.

To summarize:

  • Please don’t use pirated versions of Spark 360 or Spark Trophies. You never know to whom your account information is being sent
  • Spark is legally only available on Android Market – nowhere else. Any other site that hosts the app today is doing so without my consent and illegally
  • If you use a pirated version, then purchase a legitimate version of the app, please change your password as soon as possible. You never know who’s had your password, and for how long
This entry was posted in Spark 360 for Android, Spark Trophies and tagged . Bookmark the permalink.

3 Responses to Spark, piracy, and account security

  1. kelly says:

    on your spark 360 app it say need help email you buy i couldnt find your email so if u could email me please have a few questions

  2. Wayne says:

    Just got this app from the market today. It really is awesome. Have to say that I was a little worried about safety etc putting info into an app that had no affiliation whatsoever to Microsoft. After reading that though I feel a little safer. Anyone who couldn’t cough up 94p for the app and source it illegally deserve to be hacked haha

    Spot on 10/10

Comments are closed.