How We Reverse Engineered Google Play License Verification (LVL) and Bypassed It – A Real Case Study
A few weeks ago, we were contacted by a client who suspected that their premium Android app was being pirated despite implementing Google Play’s License Verification Library (LVL). The client noticed an increasing number of users accessing premium features without purchasing a license and wanted us to investigate how this was happening.
The client’s biggest concern was that they had followed Google’s official guidelines and integrated LVL properly, yet hackers were still bypassing the system. They needed our expertise in reverse engineering and mobile security to analyze:
- How their LVL implementation was being bypassed.
- What security weaknesses allowed attackers to exploit it.
- How they could strengthen the license verification process to prevent piracy.
What we found during our penetration test confirmed their worst fears: LVL was being bypassed using multiple techniques, making it ineffective as a standalone protection method. This article provides a real-world breakdown of how hackers bypass Google Play License Verification and how developers can protect their apps from exploitation.
Understanding Google Play License Verification (LVL)
Google Play’s License Verification Library (LVL) is a widely used system that allows developers to verify whether a user has legitimately purchased an application. When an app is installed through Google Play, it can check the user’s license status via an internet request.
Here’s how LVL typically works:
1️⃣ The application sends a request to Google Play’s licensing server, including the user’s Google account ID and app package name.
2️⃣ Google’s server verifies whether the user has purchased or legally obtained the app.
3️⃣ The server responds with a LICENSED, NOT_LICENSED, or ERROR message.
4️⃣ Based on the response, the app either grants access or blocks the user.
At first glance, this system appears to provide strong protection against piracy. However, since all of these checks occur on the client-side, they are inherently vulnerable to reverse engineering and manipulation. Hackers can intercept, modify, or completely bypass these checks, making LVL ineffective as a standalone security measure.
How Hackers Bypass Google Play License Verification (Real Methods We Analyzed)
During our research and testing, we identified the four most common methods used to bypass LVL security. These techniques are actively used by hackers to crack premium Android apps and remove licensing restrictions.
Android License Verification Bypass Steps:
1️⃣ Hooking and Manipulating LVL Responses with Frida
🛠 Tools Used: Frida, Objection
One of the most effective ways to bypass Google Play LVL is by using Frida, a dynamic instrumentation tool that allows attackers to inject code and modify app behavior at runtime. Instead of modifying the actual APK, Frida allows attackers to hook into live processes and override key functions, making it one of the most powerful methods available.
💡 How this technique works:
- The attacker runs the target application on a rooted device or emulator and attaches Frida to it.
- Frida hooks into the LicenseChecker API and intercepts the function responsible for checking the license status.
- Instead of contacting Google Play’s servers, the function is manipulated to always return LICENSED, regardless of the user’s actual purchase status.
- As a result, the app believes the user is legitimately licensed, even if they never purchased the app.
📌 Prevention Tip: To protect against Frida-based attacks, developers should implement Frida detection techniques, such as checking for unexpected process modifications, hooking attempts, and debugging tools. Anti-tampering mechanisms should also be used to make live memory manipulation more difficult.
2️⃣ Smali Code Injection – Hardcoding a License Bypass
🛠 Tools Used: JADX, Smali/Baksmali
A more permanent method of bypassing LVL is through Smali code injection. Instead of modifying the app at runtime, attackers decompile the APK, modify the license verification logic directly in the Smali code, and then recompile the app.
💡 How this technique works:
- The hacker decompiles the APK file using JADX or Apktool to extract the app’s Smali code.
- The attacker locates the
LicenseCheckerandLicenseValidatorfunctions inside the decompiled code. - They modify the logic to always return LICENSED, effectively bypassing the LVL check.
- The modified app is then recompiled and signed, allowing it to be installed on any device.
📌 Prevention Tip: To defend against Smali modification, developers should use code obfuscation techniques like ProGuard, R8, or DexGuard to make it difficult to locate important functions. Additionally, integrity checks should be implemented to detect if an APK has been modified.
3️⃣ Patching the APK with Lucky Patcher
🛠 Tools Used: Lucky Patcher
Lucky Patcher is a well-known piracy tool that allows users to modify apps, remove license verification, and bypass premium features. It works by patching the app’s binary files to disable license checks.
💡 How this technique works:
- The user installs Lucky Patcher and grants it root access.
- Lucky Patcher scans the target app and detects the LVL-related functions.
- It patches the app to remove or override the license verification mechanism.
- The user installs the modified APK, gaining full access to premium features without ever purchasing the app.
📌 Prevention Tip: To protect against Lucky Patcher, developers should implement server-side license validation instead of relying solely on client-side checks. This ensures that license verification is handled securely and cannot be modified by patching tools.
How We Successfully Bypassed the LVL System in Our Client’s App
To demonstrate the security risks to our client, we performed a real-world penetration test using the following steps:
- Decompiled the APK using JADX and located the license verification code.
- Used Frida to hook into the app’s runtime and override the license response.
- Manually patched the APK using Smali code injection.
- Tested the bypass methods and confirmed that LVL was completely ineffective.
As a result, we proved to our client that Google Play LVL alone is not a sufficient security measure and recommended advanced protection techniques to harden their app against piracy.
How to Protect Your App from LVL Bypass
If you’re a developer looking to protect your app from license cracking, here are some best practices:
- ✔ Move license verification to your server – Avoid client-side-only validation.
- ✔ Use strong code obfuscation – ProGuard, R8, and DexGuard make static analysis harder.
- ✔ Implement runtime integrity checks – Detect modified APKs and unauthorized debugging.
- ✔ Monitor API abuse – Log and analyze suspicious license verification requests.
- ✔ Detect Frida and hooking attempts – Prevent hackers from injecting malicious code at runtime.
Final Thoughts – Need Professional Reverse Engineering & Security Analysis?
Our analysis confirmed that Google Play LVL is vulnerable to multiple attack methods. If you’re a developer or business owner concerned about app security and piracy, we can help you analyze, secure, and harden your Android applications.
📩 Contact us today for professional security audits and reverse engineering services!
📧 Email: [email protected]
🌐 Website: https://reverseengineer.net/
🔒 We help businesses protect their apps against reverse engineering and piracy. Let’s secure your software together! 🚀
Professional Reverse Engineering & Security Solutions for All Platforms
Let's Work Together
Need Professional Assistance with Reverse Engineering or Cybersecurity Solutions? Our Team is Ready To Help You Tackle Complex Technical Challenges.