Asked 10/5, 2009 at 23:30 Answered 16/7, 2012 at 8:34

What are accepted methods to reduce iPhone application piracy, which do not violate Apple's evaluation process?

If my application "phones home" to provide the unique device ID on which it runs, what other information would I need to collect (e.g., the Apple ID used to purchase the application) to create a valid registration token that authorizes use of the application? Likewise, what code would I use to access that extra data?

What seem to be the best available technical approaches to this problem, at the present time?

(Please refrain from non-programming answers about how piracy is inevitable, etc. I know piracy is inevitable. I am interested in programming-based answers that discuss how to reduce it. Thanks in advance for your understanding.)

Solemnize answered 10/5, 2009 at 23:30 Comment(11)

I love questions that specify in advance what answer they want to hear. That's how you get the best answers. ;) – Girardi 10/5, 2009 at 23:53

Just trying to cut off philosophical derails at the start. Technical answers are obviously preferable. – Solemnize 10/5, 2009 at 23:56

@Alex it's easier to avoid "you can't do that" answers if you don't use terminology like "defeat" instead of "mitigate" – Holoenzyme 11/5, 2009 at 0:0

That's an uncharitable reading, but I've changed that one word to make it absolutely clear. – Solemnize 11/5, 2009 at 0:3

I'm fairly certain that Apple does not provide the Apple ID of the people who purchased your application. Other than the country of purchase, I don't think they provide any personally identifiable information at all. In other words, even if you did phone home, I'm not quite sure what you would cross reference against. – Excision 11/5, 2009 at 0:12

The best way to reduce piracy of your application is to sell it on the App Store. Period. – Colt 11/5, 2009 at 0:25

If you have a technical answer, please consider clicking on the answer box below. Thanks. – Solemnize 11/5, 2009 at 0:34

This reads like a self-nullifying question, Alex. You're asking what you need to collect for a token to be valid. Without knowing what you mean by "need" and "valid" the answers are probably going to steer toward the philosophical or "you don't need anything". Keep in mind that you're asking the public how to outsmart the public. – Vadim 11/5, 2009 at 1:5

See? It's possible to provide an answer to the question without snark and philosophizing! Some of you should try that out, maybe. – Solemnize 11/5, 2009 at 5:46

I really do not like the way you put your comments - why so aggressively demanding? – Balenciaga 17/4, 2010 at 7:48

@jalf: Every question specifies what the asker wants to hear, to varying degrees. If it didn't, it wouldn't be a question. Asking to not receive non-programming answers is understandable given the potential for this thread to end up off topic – Aegeus 12/7, 2010 at 23:23

UPDATE

Please visit and read

Thanks to chpwn in the comments.

Code that's way too old! - 11th May 2009

For now there's an easier way to detect if your iPhone application has been cracked for piracy use. This does not involve you to check the iPhone unique IDs against a list of accepted IDs.

Currently there are three things crackers do:

Edit the Info.plist file
Decode the Info.plist from binary to UTF-8 or ASCII
Add a key-pair to Info.plist{SignerIdentity, Apple iPhone OS Application Signing}

The last one is easiest to check with this code:

NSBundle *bundle = [NSBundle mainBundle]; 
NSDictionary *info = [bundle infoDictionary]; 
if ([info objectForKey: @"SignerIdentity"] != nil) 
{ /* do something */  }

Generally we don't have SignerIdentity in any of the App Store applications we build so checking for nil then performing set instructions should make it more difficult for crackers and pirates.

I can't take credit for this so please visit How to Thwart iPhone IPA Crackers. There's loads of information there about piracy on iPhone and how to curb it.

Tade answered 11/5, 2009 at 1:14 Comment(10)

Thank you for answering the question that I asked. – Solemnize 11/5, 2009 at 3:3

@David Quick question that no one may have the answer to: If this is such an easy (potentially 5 line) fix, why has it not been implemented more often? Is there a downside you are aware of? The VAST majority of the apps on the app store have been cracked, and are available for download. – Excision 11/5, 2009 at 17:27

It is very easy for the cracker to check for SignerIdentity literal string, or for infoDictionary selector call. You must likely want to obscure them. The “do something” part is also tricky: you cannot fail right away, as this would alarm the cracker. So you need to fail with a big delay (maybe give them a 30 day trial, and then ask to buy a legitimate copy). See, making this useful is not that simple any more. – Closed 11/5, 2009 at 22:5

P.S. And do visit the link in the answer, it's awesome. – Closed 11/5, 2009 at 22:6

Yes, this is a very simple solution for a massive problem, it does have its flaws. SignerIdentity is used to allow iTunes to install the illegitimate copy onto a jailbroken + things I'm not obliged to say iPod/iPhone. For pirates there is a way around this by replacing the info.plist file again when the application is in the device with one that doesn't have a SignerIdentity KV. If you want your checks to be more stringent you may iterate through all infoDictionary's values and check their strings. Remember, as long as people want free things, your application will always be crackable. – Tade 12/5, 2009 at 1:10

I've found cracked versions of my app with the Info.plist file identical to the one I submitted to the store. This check doesn't work anymore. – Niemann 28/11, 2009 at 20:53

THIS IS WRONG! THIS IS NO LONGER NEEDED TO PIRATE AN APP! Please instead check the "Crypt ID" of the binary. That key is not needed and no longer included, and is a horrid way of checking. – Sheley 17/4, 2010 at 6:51

Uhh, did you check the date of when that was submitted? It worked then. No need to get your nickers in a knot. ;) – Tade 17/4, 2010 at 9:37

@chpwn - If you have a better means of checking, please do write another answer so we can vote it up. Complaining about an existing answer doesn't help if we lack an alternative. – Longs 11/11, 2010 at 23:12

@Brad Larson: landonf.bikemonkey.org/code/iphone/… – Sheley 12/11, 2010 at 6:53

As pointed out by Andrey Tarantsov in the comments, looking for the "SignerIdentity" string in the binary (using an app like HexEdit) and replacing it is pretty easy.

You could encode that string, but then again all you have to do is change one char of it and the app is not going to look for the "SignerIdentity" key anymore but for some other key that probably doesn't exist (therefore is null). That key being null, the app thinks it isn't cracked (since SignerIdentity should be null if the app isn't cracked).

Instead, I'd rather check the size of the info.plist and compare it to a reference value. I noticed Simulator and Devices builds don't have the same info.plist file size. Same goes for Debug, Release and Distribution builds. Therefore, make sure you set the reference value using the info.plist file size for the Device Distribution Build.

How to look for the filesize at launch:

Amperage answered 25/5, 2009 at 19:39 Comment(0)

It looks like saving MD5 checksum of Plist and checking CryptID should do well till some time.

Garnishee answered 16/7, 2012 at 8:34 Comment(0)

-1

Check iTunesMetadata.plist for the date of Purchace as sometimes, when an app is cracked, that date is changed to something outrageous.

Also check to see if the purchacer name field exists. In my experience with cracking apps for personal use, that is usually removed. If anyone knows how the anti dump protection of Temple Run works, you could use that in conjunction with some protection that poedCrackMod can't get (google poedCrackMod create hackulo.us account, go to dev center look for poedCrackMod, install it on iDevice).

Clutch which will not crack things with Temple Run like protection, has a feature called OverDrive intended to silence an app's crack detection. poedCrackMod has LamestPatch, which isn't as good. Also poedCrackMod is an open source bash script that can be reverse engineered. To recap, you have an app that has copy protection that can't be circumvented with clutch / overdrive but can be cracked with poedCrackMod. However poedCrackMod can't circumvent the app's in app piracy checks. It is hard to manually patch integrety checks in the app's executable. So your app is hard to crack.

Meier answered 27/6, 2012 at 16:4 Comment(0)

UPDATE

Code that's way too old! - 11th May 2009

Recommended topics

Hot tags