Friday, April 3, 2009

Anti-Piracy Snippet

Don't know who to credit for this, although it uses techniques discussed here, here is a snippet of code that shows one way to detect pirated copies of your application.

The problem with this snippet, though, is that by putting this logic in an Objective-C method with an obvious name, you actually make it pretty easy for hackers to bypass or change this check. Instead, take the same basic logic and make it a C function and make sure you compile with debug symbols off. Better yet, make it a static inline function and call it from several places. This will scatter the same exact logic several places throughout your code, making cracking your program much more of a hassle.

You can never make any program that's completely unhackable, but you can make it a bit of a pain for the hackers and perhaps delay it from getting out on to the hacker sites for a little while.



12 comments:

Stuart said...

@Jeff (and all), good point regarding static inline C function. One comment about that snippet is that I would obfuscate the 'SignerIdentity' string also, since it's easy enough to search for that in the binary and replace it with an empty string.
The resulting test for would then be for an empty string and therefore return nil, bypassing all the other checks.

Cheers

Jeff LaMarche said...

Good point, Stuart. Thanks!

Jeff LaMarche said...

Another thing to point out is to make sure you don't use this with ad-hoc distribution. I'm pretty sure ad-hoc distributed apps would look like pirated apps to this method. Anyone know for sure?

tehZoe said...

Or obfuscate it by:

- getting the Info.plist as an NSDictionary

- iterate through the dictionary with the Obj-C 2.0 for loop

- hash the key by some trivial hash like taking every other letter starting at the end of the string and working backwards

- compare the hash to your hard-coded hash of the string "SignerIdentity" ("tteIegS") which is stored as an NSData object in a binary plist in the bundle

- if the hash matches, put up a view that says the app is cracked and the iTunes Store link

- if the hash doesn't match, check that the plist containing the NSData object is in the bundle. If it's there, allow the app to run.

Andrew Smith said...

I've tried it on an AdHoc install, and I didn't see any problems.

Mostly Torn said...

While this approach works, it's a known method of detecting pirated copies.

If you peruse the iPhone pirate discussion forums (yes, they do exist and are publicly readable in many cases), you'll see they have a quick way of countering this. They just use a binary editor and change the string you are comparing. Since a pirated copy is detected when the strings match, simply zapping the string into gibberish will ensure the match never occurs.

Even doing some obfuscated comparison of the string is not much of a deterrent. They can still just mangle your obfuscated string to get the same behavior of a mismatch.

I find a better approach is to generate a checksum of your info.plist file after you build your app. Then, store this value in your app (in a non obvious way) and at runtime verify it matches the on-the-fly calculated checksum of current info.plist.

Since you aren't doing any string comparisons, there's a less obvious target for the pirate to search for in your app, and they will have to know what checksum algorithm you are using or have some way of getting your app to think the checksums match. That's a bit harder than simply making sure two things don't match - which is what the original approach uses.

I was originally using something similar to the originally proposed snippet in my own app and discovered it was very quickly bypassed by pirates. It'll only hinder the casual pirate trying to just used an automated tool.

And, as was said before, nothing is ever going to be completely pirate-proof. If someone wants to invest the time, they will crack your countermeasures. It's just a question of whether it's worth the pirate's time.

Jesse said...

I'm wondering, what if you just use the file last modification date comparison, to detect the crack ?

Eli said...

Mostly Torn:

Even if you use a hash function, you need to have the hash string stored somewhere (as you said already), so you're still just doing a single boolean comparison in the end. That won't necessarily be any better, except for the fact that it's not a common way of doing it.

Edwin said...

scrub m65 kamagra attorney lawyer body scrub field jacket lovegra marijuana attorney injury lawyer

Robse said...

[[NSBundle mainBundle] infoDictionary] gets replaced by one click hacking tools. The replacement of [[NSBundle mainBundle] infoDictionary] just returns a copy of the original and not the real info.plist. Same for: [[NSBundle mainBundle] pathForResource:].

JeansPilot said...

JeansPilot offers the chance to buy a large variety of men’s and women’s jeans clothing from the world famous Italian Brands.
Online jeans clothing store looks for original fashion clothing sales and clearances of worldwide known designers. We participate in fashion auctions to get the lowest possible price for Top quality Clothes, Shoes and Accessories.
Buy Jeans

h4ns said...

What youre saying is completely true. I know that everybody must say the same thing, but I just think that you put it in a way that everyone can understand. I also love the images you put in here. They fit so well with what youre trying to say. Im sure youll reach so many people with what youve got to say.

Arsenal vs Huddersfield Town live streaming
Arsenal vs Huddersfield Town live streaming
Wolverhampton Wanderers vs Stoke City Live Streaming
Wolverhampton Wanderers vs Stoke City Live Streaming
Notts County vs Manchester City Live Streaming
Notts County vs Manchester City Live Streaming
Bologna vs AS Roma Live Streaming
Bologna vs AS Roma Live Streaming
Juventus vs Udinese Live Streaming
Juventus vs Udinese Live Streaming
Napoli vs Sampdoria Live Streaming
Napoli vs Sampdoria Live Streaming
Fulham vs Tottenham Hotspur Live Streaming
Fulham vs Tottenham Hotspur Live Streaming
AS Monaco vs Marseille Live Streaming
AS Monaco vs Marseille Live Streaming
Alajuelense vs Perez Zeledon Live Streaming
Alajuelense vs Perez Zeledon Live Streaming
Technology News | News Today | Live Streaming TV Channels