FYI - When I put out the latest update to Palettes recently I updated my crack checking code to simply launch Safari sending the user to a special page on my website pointing out the benefits of trying my Lite version instead of stealing my paid version.
I just checked my web logs and sure enough I have a few hits to the page. The page has no links to it except from the app.
I perform three separate checks to determine if my app is hacked so if one is worked around the others will still work. The three different tests are well documented on the web.
This tells me something interesting that came up earlier in this thread. Someone cracked my app and posted it for others without testing it first. Idiots they are. My app doesn't show a single screen. Immediately upon launch it exits by launching Safari.
Now I can't know whether a good hacker eliminated these checks and put out a cracked copy that works fine. But I do know that some hacker(s) didn't use their tiny little brain at all and put out a version that can't be used.
FYI - When I put out the latest update to Palettes recently I updated my crack checking code to simply launch Safari sending the user to a special page on my website pointing out the benefits of trying my Lite version instead of stealing my paid version.
I just checked my web logs and sure enough I have a few hits to the page. The page has no links to it except from the app.
I perform three separate checks to determine if my app is hacked so if one is worked around the others will still work. The three different tests are well documented on the web.
This tells me something interesting that came up earlier in this thread. Someone cracked my app and posted it for others without testing it first. Idiots they are. My app doesn't show a single screen. Immediately upon launch it exits by launching Safari.
Now I can't know whether a good hacker eliminated these checks and put out a cracked copy that works fine. But I do know that some hacker(s) didn't use their tiny little brain at all and put out a version that can't be used.
BTW, how do you determine if a file is binary or not...I wasnt able to find any API on that one.
Thanks!
I also garble my signerIdentity string check.....If would be nothing for a hacker to place in a check for the string, (I wont post what he could do with it afterward...dont want to give them any clue.).
I'm wondering if it would be ok to overwrite your application file with 0's if you detect that its a cracked version.
Checking if the Info.plist file is text or binary is easy enough. If it's text, you will find the usual "<?xml" at the beginning. If it's binary you won't.
Do a Simulator debug build and a device debug build of your app. Now look at the Info.plist file in each corresponding build directory. It will be obvious. The Sim has a text Info.plist and the device has a binary Info.plist.
I could be wrong, but my understanding of the current state of affairs WRT iPhone application cracking is that the hackers are taking the easy and obvious route of short-circuiting the code signing authentication with the info.plist modification, and thus haven't the need to examine binaries -- yet. And, until the hackers realize that their current approach is ineffective, there may never come a time when they're peeking into our binaries.
If we can assume that more and more developers will start implementing an info.plist check as a counter, the hackers will find that their efforts to crack our applications are failing. Do we know that the hackers have no choice but to start peeking the binaries? Should we developers be thinking one step ahead of the hackers and now be implementing countermeasures against this?
I'm actually quite curious about this. Perhaps this can be opened up as a new topic of discussion.
I could be wrong, but my understanding of the current state of affairs WRT iPhone application cracking is that the hackers are taking the easy and obvious route of short-circuiting the code signing authentication with the info.plist modification, and thus haven't the need to examine binaries -- yet. And, until the hackers realize that their current approach is ineffective, there may never come a time when they're peeking into our binaries.
If we can assume that more and more developers will start implementing an info.plist check as a counter, the hackers will find that their efforts to crack our applications are failing. Do we know that the hackers have no choice but to start peeking the binaries? Should we developers be thinking one step ahead of the hackers and now be implementing countermeasures against this?
I'm actually quite curious about this. Perhaps this can be opened up as a new topic of discussion.
Thus the reason why I didnt use a full @"SignerIdentity"
If they start looking for that string they are going to have a hard time of how I build it and where I use it.
Thus the reason why I didnt use a full @"SignerIdentity"
If they start looking for that string they are going to have a hard time of how I build it and where I use it.
Yeah, that's a good approach, but there are several other issues and techniques that I'm pondering. I think these are worth discussing, but not in a public forum like this.
Many of these students would then go on to use them in their professional lives, purchasing legitimate licenses for business use and introducing the software to others until the programs became ubiquitous.
Just as a heads up, I'm pretty sure when an app is compiled all the fancy stuff in the code you try to do to hide/obfuscate "SignerIdentity" is tidied up by the compiler and in the compiled version will still be "SignerIdentity".
Certainly that's what I'd expect the compiler to do but I've not looked myself so I'm not 100%, but I'm pretty sure trying the hide that won't help.
Just as a heads up, I'm pretty sure when an app is compiled all the fancy stuff in the code you try to do to hide/obfuscate "SignerIdentity" is tidied up by the compiler and in the compiled version will still be "SignerIdentity".
Certainly that's what I'd expect the compiler to do but I've not looked myself so I'm not 100%, but I'm pretty sure trying the hide that won't help.
not when the construction of the string is created by different methods
not when the construction of the string is created by different methods
Exactly. There are a nearly infinite number of ways to camouflage the creation of the @"SignerIdentity" string. Store it reversed (@"ytitnedIrengiS"), store it character by character and assemble the string with multiple methods, apply a bit manipulation (e.g. XOR with 0xFF) to each character in the string, etc.
Exactly. There are a nearly infinite number of ways to camouflage the creation of the @"SignerIdentity" string. Store it reversed (@"ytitnedIrengiS"), store it character by character and assemble the string with multiple methods, apply a bit manipulation (e.g. XOR with 0xFF) to each character in the string, etc.
Or what you could do, to make it impossible or painful to find out where the checking code is....
#define INIT_STRING @"SignerIdentity"
And then when you create a new string anywhere (should be a lot in your average program), even though its overhead, always assign it your #define.
NSString *aString = INIT_STRING; ///do this for all of your temp strings
Then also use the above method of functional creation of the real string.
I'm sure the average hacker will give up placing the command in your code trying to find the right place to overlook your check for a jail broken app.
which would compile to leave a clean string. I'm about ready to release my app so very interested in this stuff and would like to be as sure as I can be that my app won't be cracked (I'm still amazed Apple seemed to have dropped the ball with this, but then who knows what 3.0 will be bringing)
My method of choice is to display an alert.. much like "illegal copy detected" then just gobble up all the memory and display a "reporting piracy to apple" with a progress view... so it freezes the phone while "reporting piracy".
of course there is no call to report piracy.. it's just a deterrent.
Guaranteed app uninstall within minutes after they reboot their phone (because it froze)
"Should we developers be thinking one step ahead of the hacker"
XDD
You guys are quite naïve if you believe you're steps ahead of the hackers. For crying out loud - hackers managed to reverse engineer a major corporation's tightly sealed prize phone in a matter of days, with their "tiny little brains." You guys are nucking futs if you think anything you do will stop hackers from getting around your protection.
This is not your responsibility, it's apple's - if apple had done a *good* job at using their crappy DRM on iPhone apps, it wouldn't be an issue. Hackers never managed to crack fairplay on apple music files, I think it's rediculous that apple hasn't even responded to the situation.
But damn you all if you think you're smarter than the hackers, there's probably tons of those same hackers here - who are probably a ton smarter and a ton wiser than the vast majority of us. Just because you're pissed at them for cracking your app - which might make you lose a whole 20 or 30 sales, (that's not even a dinner with your family folks) doesn't mean that you bashing them will help any. And it certainly doesn't mean they're not smart. =P
which might make you lose a whole 20 or 30 sales, (that's not even a dinner with your family folks) doesn't mean that you bashing them will help any. And it certainly doesn't mean they're not smart. =P
the problem here is not to block the pro, is to block the noob, that uses generic software that cracks any program automatically. The noob drops our programs in such programs and end with a cracked version of it. If everyone does his/her own measures they will have to crack by hand programs one by one... no automatic solution for all. This is the point. Better have a car with alarm than without. I bet your car has alarm... or do you think that it is worthless as the pro will steal it anyway?
I do fully agree, it is really an apple issue, and there lack of response will come back to bite them. But that doesn't mean nothing should be done by us.
In the same way that I take security steps where I can to protect my property (alarm on car, lock the house when I leave, don't walk around handing out my bank details to total strangers, etc, etc).
As to hackers though being amazingly clever ... certainly not my experience, I'd say 1-2% of hackers are gifted, and the rest copy, fudge, bodge, and sit around in dark rooms thinking they are in the film "Hackers". Don't get me wrong, those 1-2% are hella-gifted (oh I made a new word) but that still doesn't mean they can't be stopped, the clever one's are sensible enough to give up on a bad job and move onto the next, newest, coolest thing
the problem here is not to block the pro, is to block the noob, that uses generic software that cracks any program automatically.
Exactly. I don't see the hackers who "managed to reverse engineer a major corporation's tightly sealed prize phone" setting their sights on my lowly app when I put up some roadblocks. Just not worth the effort.
You guys are quite naïve if you believe you're steps ahead of the hackers. For crying out loud - hackers managed to reverse engineer a major corporation's tightly sealed prize phone in a matter of days, with their "tiny little brains." You guys are nucking futs if you think anything you do will stop hackers from getting around your protection.
This is not your responsibility, it's apple's - if apple had done a *good* job at using their crappy DRM on iPhone apps, it wouldn't be an issue. Hackers never managed to crack fairplay on apple music files, I think it's rediculous that apple hasn't even responded to the situation.
But damn you all if you think you're smarter than the hackers, there's probably tons of those same hackers here - who are probably a ton smarter and a ton wiser than the vast majority of us. Just because you're pissed at them for cracking your app - which might make you lose a whole 20 or 30 sales, (that's not even a dinner with your family folks) doesn't mean that you bashing them will help any. And it certainly doesn't mean they're not smart. =P
Based on the number of rebuttals to your post, I think it's obvious who's "naive", but since you quoted me in that post, I'll add my 2 cents.
Read the thread. Then read it again. No one here is suggesting that we will develop the next be-all, end-all App Store DRM solution.
We recognize and acknowledge that the Apple DRM has been defeated and we understand how it is currently being done. Some of us are proposing additional tactics that can be employed at the application level to detect that the running app is cracked and, if so, throwing up some additional road blocks. Forgive us for thinking outside of the box.
If you think it's pointless to make the effort to preserve "20 or 30 sales", then leave your apps under normal Apple DRM control and watch those sales disappear. When you eventually learn what your actual loss to piracy is, you might have a second thought.
You guys are quite naïve if you believe you're steps ahead of the hackers. For crying out loud - hackers managed to reverse engineer a major corporation's tightly sealed prize phone in a matter of days, with their "tiny little brains." You guys are nucking futs if you think anything you do will stop hackers from getting around your protection.
This is not your responsibility, it's apple's - if apple had done a *good* job at using their crappy DRM on iPhone apps, it wouldn't be an issue. Hackers never managed to crack fairplay on apple music files, I think it's rediculous that apple hasn't even responded to the situation.
But damn you all if you think you're smarter than the hackers, there's probably tons of those same hackers here - who are probably a ton smarter and a ton wiser than the vast majority of us. Just because you're pissed at them for cracking your app - which might make you lose a whole 20 or 30 sales, (that's not even a dinner with your family folks) doesn't mean that you bashing them will help any. And it certainly doesn't mean they're not smart. =P
This is the 3rd or 4th time I've said this, but apps are not being cracked on a one-by-one basis by an actual cracker disassembling the binary, they're being run through a process which strips the DRM by script kiddies.
Also, FairPlay has circumvented by several programs. FYI.
Well submitting my app with some basic protection (if there is a closed forum where we can discuss this properly I'd love to join), and after some pondering I've decided the pirate gets the full thing, working, but it never saves any high scores, they get to see the game, try it out. I may change that so they can only play it on easy as well, but I don't want them to just delete it straight off, I'd like to see if I can convert them to even just a few extra sales.
I'm wondering if when 3.0 goes live there will be some improvement by Apple, but I'm not holding my breath it'll last for more than a week or two
Yeah I did not put any crack countermeasures in my app, and just tonight (after 5 days on the app store) I see it on a few crack sites. Initially I was furious. I read through all these posts. Am I right to say that a user can only use these cracked versions if their phone is jail broken?
Have the methods here been deemed reliable? Yes I know if someone wants to open up your app they can, I'd just like to block script kiddies from running it through a generic cracking app. I'd hate to use some crack detection code that does not work correctly and damages a legitimate user's phone.
Can anyone PM me with a reliable way of adding some basic protection? Or is there some private forum we can discuss this in?
Linear Mode
