Using LGPL library in Paid Android App-ThrowExceptions

Exception or error:

Can I use a LGPL library in my paid android application? I am not going to modify the LGPL lib, I just want to use it. Is it legal?

How to solve:

If you’re making a paid Android app you’ll probably have problems with a specific issue of LGPL: substitutability. Generally, it states that when you distribute a combined work you have to provide a user with possibility to substitute the library with a different version (e.g. newer). Very doubtful in the case of DEX file, as mentioned in previous comments.

An alternative to a single DEX file is to make from a dependent library a separate application, released on LGPL. In such an application you create a service to which you connect from your paid application. Then, to substitute the LGPL library with newer version only recompilation and reinstalling the library’s APK is required.

The hassle is, of course, that now you have more than one APK to install.

###

Using LGPL in an android free or paid app is legal, but to be compliant with the LGPL you have to:

  1. Give the user indication of the library used and where to find the original code;
  2. Configure proguard to not obfuscate the code covered by LGPL;
  3. Avoid any check in your app about signature compliance;
  4. Give to the user indication of how replace the library.

For point 4 you can indicate to use dex2jar, replace the LGPL code and re-sign the APK. It needs a lot of work for the user but it is possible to do it and allow the final user to recombine or relink the code as LGPL says. In addition, if your app uses any google services, the user need to create an account to generate the own api key and so on.

###

I am not a lawyer, but from my understanding of the GNU Lesser General Public License 3.0, section 4 explicity excludes static linking as the requirement states:

You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following:

  • […]
  • d) Do one of the following:

    • 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.
    • 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user’s computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version.

(Emphasis mine.)

Section 4d.0 is not possible by the nature of Android APKs: the APK is compiled to Dex and signed as a whole, containing referenced libraries, and hence swapping out libraries cannot be done without the original source code, the keystore and keystore password.

Section 4d.1 may be possible by deploying two APKs:

  • One APK containing the LGPL library and in turn open source and licensed under LGPL
  • Another proprietary APK referencing the LGPL application.

Deploying such an application, however, is not possible directly through Google Play without specifically adding the requirement that the user proceed to download the LGPL dependency, which would need to be deployed as a separate application on Google Play. This would be very tedious for the end user, and realistically isn’t an option for a typical consumer application.

As per the discussion with Prof. Falken in William Tate’s answer, the terms of the LGPL may be more applicable to C libraries included through native code, as they reside inside the APK as a separate library. Although the APK cannot be signed, it is possible to repack the APK with the object file replaced. From my perspective, that technically fits the requirements of the license.

###

The droidText library (used for exporting to PDF format on Android and released under LGPL) has a detailed explanation of how to use their library and still comply with the LGPL:

http://code.google.com/p/droidtext/wiki/LGPLCompliance

I found it very helpful. Basically you use a utililty (dex2jar) to take the jar of the library OUT of the dex file- thus allowing and end user to update with a later version of the droidText library if they want to.

###

I’ve always thought LGPL was very much a ‘grey area’. Although there are specifics on how LGPL code/libraries etc should be used, it doesn’t necessarily reflect the exact requirements of the author(s).

Personally I would recommend contacting the author(s), explaining your concerns and asking if they are happy to allow you to use it.

###

This should outline your main concerns: http://answers.google.com/answers/threadview/id/439136.html

Most of it seems to be disclosing your use of the library and making sure you adhere to the rules of distribution according to the license.

Leave a Reply

Your email address will not be published. Required fields are marked *