Actually - on Android, if you want to 'verify' that your app was not pirated (i.e. the paid-for APK was not just copied from one device to another), you have to call their licensing service: http://developer.android.com/google/play/licensing/index.htm.... Of course, many paid apps choose not to add this additional layer of verification, but it is functionally similar to the Firefox OS solution (except with a web app, you don't even need to copy an APK - you just visit it on the web).

You can't compare JS patching to someone spending hours and hours finding methods for using fake certs and DNS hacks. Sure the end result may be similar but to get to their requires a A LOT less more. Anyone can open up a JS file, find a line of code that does security checking, and return it false. You can show someone that in a Youtube video. What you can't show someone is how to spend hours and hours looking for ways to trick the OS into believing that the packaged application was previously paid for even though it wasn't.

Obfuscated and minified JavaScript with license checking scattered in diverse places will be much, much harder to figure. And it'll vary from app to app, while with Apple devices if you've stolen one you've stolen them all. (I think that's the effect?)

Not when you can easily just hijack the receipt methods. A lot easier than IAT hooking..lol

I'd disagree with the last part. The majority of Android apps do no certificate checks, so it's pretty much as easy as Googling "<paid android app> apk" and clicking the first result. You can even do it on your phone if that's easier.

I think you are correct about opening up JS files though. Are there any good security measures against that?

Doing what you suggest would take "hours and hours" too, as you have to find a way to make the app run your modified JavaScript instead of the one that it retrieves from the server.