Continue helping (try to get paid) and tell them about the exploit. Even if it's their project your name will still be on their lips when someone else figures it out. Also... being able to sleep at night is nice.
I hadn't considered the effect on my reputation at all.
So, forward simulating (and embedding my sentiments as a measure of my ease of sleeping):
Case {they implement it any nobody learns of the exploit}: I'm remembered as the one who stood up to help reduce friction to new apps being listed. They keep me as a positive point of contact for future design changes. I feel good about baleeting bad software design. Reputation improves, presumably.
Case {I don't tell them about it, they implement it, and somebody turns the conceptual exploit into a real tool after deployment}: The company company loses, consumers win (yarr). The company (and every company they swap stories with) decides never to deal with me, if they decide to pin it on me as intentional. I feel good about baleeting bad software design as well as demonstrating the counterproductiveness of DRM (albeit in a contrived way). Reputation declines, conditionally.
Case {I do tell them, they continue anyway in the name of reduced friction}: They take a calculated risk and own the result. Yay for improved design, but hard to forward simulate any more. Reputation unchanged-ish, regardless of whether the concept is exploited or not.
Case {I do tell them, and they decide to quit the project and keep their old solution}: They feel less receptive to future requests in the name of reduced integration friction ("ya know, it might have a flaw!"). I don't list my apps with them, and I hope that others don't either. Reputation unchanged. The concept of third-party-android-marketplace's reputation (and indirectly Android's)? Decreased relative to potential.
By this, non-exhaustive, in-the-reply-box analysis. It sounds like I should tell them, but somehow do it in a way that doesn't talk them out of it. Best option so far, but somewhat hard to enact.
Update: I gave them a high-level overview of the conceptual exploit and even sketched a high-level technical solution for the problem (one that I admitted probably only pushes the difficulty up a few more notches, expected with DRM). I guess I'll play the next move by ear.
So, forward simulating (and embedding my sentiments as a measure of my ease of sleeping):
Case {they implement it any nobody learns of the exploit}: I'm remembered as the one who stood up to help reduce friction to new apps being listed. They keep me as a positive point of contact for future design changes. I feel good about baleeting bad software design. Reputation improves, presumably.
Case {I don't tell them about it, they implement it, and somebody turns the conceptual exploit into a real tool after deployment}: The company company loses, consumers win (yarr). The company (and every company they swap stories with) decides never to deal with me, if they decide to pin it on me as intentional. I feel good about baleeting bad software design as well as demonstrating the counterproductiveness of DRM (albeit in a contrived way). Reputation declines, conditionally.
Case {I do tell them, they continue anyway in the name of reduced friction}: They take a calculated risk and own the result. Yay for improved design, but hard to forward simulate any more. Reputation unchanged-ish, regardless of whether the concept is exploited or not.
Case {I do tell them, and they decide to quit the project and keep their old solution}: They feel less receptive to future requests in the name of reduced integration friction ("ya know, it might have a flaw!"). I don't list my apps with them, and I hope that others don't either. Reputation unchanged. The concept of third-party-android-marketplace's reputation (and indirectly Android's)? Decreased relative to potential.
By this, non-exhaustive, in-the-reply-box analysis. It sounds like I should tell them, but somehow do it in a way that doesn't talk them out of it. Best option so far, but somewhat hard to enact.
Btw, I'm not a professional software consultant.